add-IPsecExternal

[JoshSalomon]

Add api to enable/disable extern (NS) ipsec. The feature (NS ipsec) is in TR in 4.14, and in 4.15 we provide API for simple enablement (in 4.14 the enablement is awkward with no clear API

[openshift-ci]

Hello @JoshSalomon! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

[yuvalk]

/retest

[yuvalk]

The generated files for this change

can you reword the commit msg title, so it'll reference the other commit?
otherwise "this change" is ambiguous

[yuvalk]

we might consider making it a flag not config like
IPsecHostEnable (with true/false possible values)

not 100% sure what's the best practice here though

[JoelSpeed]

You're using the presence of the struct to enable the external ipsec? Would prefer to have an enum with the struct with an enum defining the state.

Does this field have any interactions with other fields within this configuration? Eg must I not specify some other fields when this field is specified?

Given you're adding a struct, do you expect there to be additional configuration in the future for this feature?

[yuvalk]

This is following the exact same pattern as the above IPsecConfig..

there is no interaction with other fields at the API level. the implementation will take care of all the relevant cases, mainly around the interaction between IPsecConfig and IPsecExternal (but they are both independent of each other on the API level)

and yes, it gives us the opportunity to add more config options in the future, without changing the API
see my comment - #1667 (comment)

[JoshSalomon]

@yuvalk - Does it make sense to put in this struct (in the future) reference to nmstate configuration to be used for the ipsec configuration. (name of the nmstate CRD?)

[JoelSpeed]

This is following the exact same pattern as the above IPsecConfig..

That API was merged 3 years ago, and API guidance has changed over time as we learn about prior mistakes. The Network resource is considered to be a configuration API. Where we prefer discoverability. To enable discoverability, we implement a few rules, eg, avoiding pointers and omitempty where possible.

Current guidance would suggest that this field should be

IPSecExternal IPSecExternal `json:"ipsecExternal"`

And the struct should contain a field

// +kubebuilder:validation:Enum="";Enabled;Disabled
// +kubebuilder:validation:Required
State IPSecExteranlState `json:"state"`

That said, looking at this, why is IPSecConfig and IPSecExternal not mutually exclusive.

there is no interaction with other fields at the API level. the implementation will take care of all the relevant cases, mainly around the interaction between IPsecConfig and IPsecExternal (but they are both independent of each other on the API level)

I'm interested in the behaviour that the operator will take care of, not just the interactions at the API level that we have defined so far. Given my question about not being mutually exclusive, I think understanding what the operator does might help here.

[yuvalk]

the names might be misleading
IPSecConfig - the old one. is used to enable/disable East-West IPsec
IPSecExternal - the new one, is used to enable/disable North-South IPsec

both will first deploy a MC to enable the host ipsec extension (ie - install libreswan and enable ipsec.service)
E-W is also running a DS that runs ovs ipsec monitor (used to configre ipsec policies between nodes)
N-S wont do anything else (beside the mentioned MC). ie - configuration is on the customer

there's also logic that handles upgrades etc.

openshift/enhancements#1453

[JoelSpeed]

Do you think we could make that clearer in the godoc, since I bet most people won't understand. How would you explain the north-south and east-west in laymans terms for the godoc? I think we probably want to update the documentation on both fields here to make it obvious where the traffic goes based on these two ipsec configurations

[JoshSalomon]

@JoelSpeed @yuvalk I am going to fix this, but I wonder if making this mandatory is not creating bw compatibility so that exiting yaml files will not work anymore. Shouldn't we make it optional with disabled value and remove the omitempty for discoverability?

[yuvalk]

IPSecExternal IPSecExternal json:"ipsecExternal"

@JoelSpeed does this means there is no default and it'll have to be specified at install time? (ie installer also need to change, and any place where even customer is injecting network config)

[JoelSpeed]

In situations such as this, we normally create an alias for the empty string, so that the empty string has the same meaning, in this case, as disabled.

[JoshSalomon]

@JoelSpeed - I made all the changes and tested them as much as I can, I hope it is OK now.

[JoshSalomon]

The generated files for this change

can you reword the commit msg title, so it'll reference the other commit? otherwise "this change" is ambiguous

Done

[yuvalk]

maybe something like this is better:

diff --git a/operator/v1/types_network.go b/operator/v1/types_network.go
index 52e9d53f..c98506f6 100644
--- a/operator/v1/types_network.go
+++ b/operator/v1/types_network.go
@@ -440,6 +440,11 @@ type OVNKubernetesConfig struct {
        // cluster.
        // +optional
        IPsecConfig *IPsecConfig `json:"ipsecConfig,omitempty"`
+       // ipsecExtern enables external (North-South). this will only install IPsec and
+       // enable it's service. the actuall NS IPsec policies should be specified by
+       // users. this can be done with k8s-nmstate operator.
+       // +optional
+       IPsecExternal IPsecExternal `json:"ipsecExternal"`
        // policyAuditConfig is the configuration for network policy audit events. If unset,
        // reported defaults are used.
        // +optional
@@ -480,6 +485,12 @@ type HybridOverlayConfig struct {
 type IPsecConfig struct {
 }
 
+type IPsecExternal struct {
+       // +kubebuilder:validation:Enum="";Enabled;Disabled
+       // +kubebuilder:validation:Required
+       State string `json:"state"`
+}
+
 type IPForwardingMode string
 
 const (

[JoelSpeed]

@yuvalk suggestion is what I was imagining. You could if you prefer, instead of the empty string use a default to default the value to Disabled

[yuvalk]

deafault=Disabled, means we can remove the empty string "" option

[JoshSalomon]

This didn't work for me when the cluster starts. Somehow even with this default during the installation I got an error that value "" is not supported.

[yuvalk]

not sure which didnt work
the default setting?
or the ""

assuming default works, I'm saying you can remove the ""..

[JoshSalomon]

even with default=disabled, I got an error that "" is not supported. I am not sure how this works, but since the object is mandatory and is created by the system and not by the user, is is created with a value of "". My suggestion is that in the operator we will change "" to Disabled so for discoverability we will see only enable or disable but on the yaml file empty string is acceptable as valid input.

[yuvalk]

also from here

[JoshSalomon]

I am not sure this can be removed if the enum includes an empty string (I just don't know, I am not sure that giving a name to an empty string is a good idea, but hit is currently a valid value in the enum.

[JoshSalomon]

/retest

[JoelSpeed]

To use a default the field must be optional and have omitempty in the json tag, if you update this then you can remove the empty string case

You also need a second tag, since multiple tools rely on different tags for understanding the defaults

// + default:=Disabled

[JoshSalomon]

I had to play with the syntax but it seems that // +default="Disabled" does the trick and generates the correct openapi.json file. As far as I tested now everything works, and retrieving the CRD immediately after reboot before any change shows this:

    defaultNetwork:
      ovnKubernetesConfig:
        egressIPConfig: {}
        gatewayConfig:
          ipv4: {}
          ipv6: {}
          routingViaHost: false
        genevePort: 6081
        ipsecExternal:
          state: Disabled
        mtu: 1400

I hope everything is OK now ;-)

[JoelSpeed]

Comments should start with the JSON tag name.

I'd appreciate if you could expand the documentation on this field, please review the API conventions on writing good godocs and expand this with relevant information.

[yuvalk]

@JoshSalomon I think it' will aslo be nice if you add at least the following test:

diff --git a/operator/v1/stable.network.testsuite.yaml b/operator/v1/stable.network.testsuite.yaml
index 698e4bf4..bac7f67c 100644
--- a/operator/v1/stable.network.testsuite.yaml
+++ b/operator/v1/stable.network.testsuite.yaml
@@ -227,4 +227,22 @@ tests:
               ipv6:
                 internalMasqueradeSubnet: "abcd:ef01:2345:6789:abcd:ef01:2345::/125"
     expectedError: "Invalid value: \"string\": a valid IPv6 address must contain 8 segments unless elided (::), in which case it must contain at most 6 non-empty segments"
-    
\ No newline at end of file
+  - name: Should have state disabled by default when specifiying north-south IPsec
+    initial: |
+      apiVersion: operator.openshift.io/v1
+      kind: Network
+      spec:
+       defaultNetwork:
+          ovnKubernetesConfig:
+            ipsecExternal: {}
+    expected: |
+      apiVersion: operator.openshift.io/v1
+      kind: Network
+      spec:
+        defaultNetwork:
+          ovnKubernetesConfig:
+            ipsecExternal:
+              state: Disabled
+        disableNetworkDiagnostics: false
+        logLevel: Normal
+        operatorLogLevel: Normal

might also want to add a test for state: Enabled

and you can run just this test locally with: GINKGO_EXTRA_ARGS="--focus ipsec" make integration

[JoelSpeed]

Just need to drop this mention of omitted and we are good to merge

[JoelSpeed]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: JoelSpeed, JoshSalomon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [JoelSpeed]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[yuvalk]

/retest

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD c7a2d3b and 2 for PR HEAD 0e619cd in total

[yuvalk]

/cherry-pick release-4.15

[openshift-cherrypick-robot]

@yuvalk: once the present PR merges, I will cherry-pick it on top of release-4.15 in a new PR and assign it to you.

In response to this:

/cherry-pick release-4.15

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 7b0f600 and 1 for PR HEAD 0e619cd in total

[openshift-ci]

@JoshSalomon: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[openshift-cherrypick-robot]

@yuvalk: new pull request created: #1719

In response to this:

/cherry-pick release-4.15

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-bot]

[ART PR BUILD NOTIFIER]

This PR has been included in build ose-cluster-config-api-container-v4.16.0-202401090832.p0.g355cd25.assembly.stream for distgit ose-cluster-config-api.
All builds following this will include this PR.