Merge pull request #2573 from pperiyasamy/ipsec-nat-t-feature

openshift-merge-bot[bot] · web-flow · commit 558108a68764 · 2025-04-24T14:52:08.000Z
OCPBUGS-40906: Implement IPsec NAT-Traversal encapsulation option
diff --git a/bindata/network/ovn-kubernetes/common/008-script-lib.yaml b/bindata/network/ovn-kubernetes/common/008-script-lib.yaml
@@ -326,8 +326,15 @@ data:
       local ipsec_encapsulation=false
 {{ if .OVNIPsecEnable }}
       ipsec=true
+      # Check for rendered IPsec encapsulation type, if it's set with "Always",
+      # then force NAT-T encapsulation option on the OVN.
+{{ if eq .OVNIPsecEncap "Always" }}
+      ipsec_encapsulation=true
+{{ end }}
       # IBMCloud does not forward ESP (IP proto 50)
       # Instead, force IBMCloud IPsec to always use NAT-T
+      # So for IBMCloud, NAT-T will be set irrespective of whatever
+      # value set in the .OVNIPsecEncap parameter.
       if [ "{{.PlatformType}}" == "IBMCloud" ]; then
         ipsec_encapsulation=true
       fi
diff --git a/pkg/network/ovn_kubernetes.go b/pkg/network/ovn_kubernetes.go
@@ -293,6 +293,10 @@ func renderOVNKubernetes(conf *operv1.NetworkSpec, bootstrapResult *bootstrap.Bo
 	data.Data["OVNIPsecDaemonsetEnable"] = OVNIPsecDaemonsetEnable
 	data.Data["OVNIPsecEnable"] = OVNIPsecEnable
 	data.Data["IPsecServiceCheckOnHost"] = renderIPsecHostDaemonSet && renderIPsecContainerizedDaemonSet
+	data.Data["OVNIPsecEncap"] = operv1.EncapsulationAuto
+	if OVNIPsecEnable && c.IPsecConfig.Full != nil {
+		data.Data["OVNIPsecEncap"] = c.IPsecConfig.Full.Encapsulation
+	}
 
 	klog.V(5).Infof("IPsec: is MachineConfig enabled: %v, is East-West DaemonSet enabled: %v", data.Data["IPsecMachineConfigEnable"], data.Data["OVNIPsecDaemonsetEnable"])
 
