Implement IPsec NAT-Traversal encapsulation option

pperiyasamy · pperiyasamy · commit 50899e25277c · 2025-04-03T17:32:35.000+02:00
This commit consumes configuration parameters for the IPsec `Full`
mode, it currently has encapsulation option to configure OVN so
that inter pod traffic across node are encapsulated to handle NAT
traversal. So it implements the following.

1. When the encapsulation option is set with "Always", then enforce NAT-T
encapsulation on the OVN.
2. When the encapsulation option is set with "Auto" or the config option
for full mode is never set, then it continues to render the "auto" option
for NAT-T encapsulation.
3. On the IBMCloud platform, NAT-T encapsulation is always enforced.

Signed-off-by: Periyasamy Palanisamy &lt;pepalani@redhat.com&gt;
diff --git a/bindata/network/ovn-kubernetes/common/008-script-lib.yaml b/bindata/network/ovn-kubernetes/common/008-script-lib.yaml
@@ -326,8 +326,15 @@ data:
       local ipsec_encapsulation=false
 {{ if .OVNIPsecEnable }}
       ipsec=true
+      # Check for rendered IPsec encapsulation type, if it's set with "Always",
+      # then force NAT-T encapsulation option on the OVN.
+{{ if eq .OVNIPsecEncap "Always" }}
+      ipsec_encapsulation=true
+{{ end }}
       # IBMCloud does not forward ESP (IP proto 50)
       # Instead, force IBMCloud IPsec to always use NAT-T
+      # So for IBMCloud, NAT-T will be set irrespective of whatever
+      # value set in the .OVNIPsecEncap parameter.
       if [ "{{.PlatformType}}" == "IBMCloud" ]; then
         ipsec_encapsulation=true
       fi
diff --git a/pkg/network/ovn_kubernetes.go b/pkg/network/ovn_kubernetes.go
@@ -293,6 +293,10 @@ func renderOVNKubernetes(conf *operv1.NetworkSpec, bootstrapResult *bootstrap.Bo
 	data.Data["OVNIPsecDaemonsetEnable"] = OVNIPsecDaemonsetEnable
 	data.Data["OVNIPsecEnable"] = OVNIPsecEnable
 	data.Data["IPsecServiceCheckOnHost"] = renderIPsecHostDaemonSet && renderIPsecContainerizedDaemonSet
+	data.Data["OVNIPsecEncap"] = operv1.EncapsulationAuto
+	if OVNIPsecEnable && c.IPsecConfig.Full != nil {
+		data.Data["OVNIPsecEncap"] = c.IPsecConfig.Full.Encapsulation
+	}
 
 	klog.V(5).Infof("IPsec: is MachineConfig enabled: %v, is East-West DaemonSet enabled: %v", data.Data["IPsecMachineConfigEnable"], data.Data["OVNIPsecDaemonsetEnable"])
 
