Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCPBUGS-33573: ztp: IPsec: configure local gateway mode #1901

Merged
merged 1 commit into from
Jun 11, 2024
Merged

OCPBUGS-33573: ztp: IPsec: configure local gateway mode #1901

merged 1 commit into from
Jun 11, 2024

Conversation

sabinaaledort
Copy link
Contributor

For IPsec support for encrypting traffic to external hosts OVN-Kubernetes network plugin must be configured in local gateway mode

@openshift-ci openshift-ci bot requested review from kenyis and sakhoury May 13, 2024 06:43
@sabinaaledort sabinaaledort changed the title ztp: IPsec: configure local gateway mode OCPBUGS-33573: ztp: IPsec: configure local gateway mode May 13, 2024
@openshift-ci-robot openshift-ci-robot added jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. labels May 13, 2024
@openshift-ci-robot
Copy link
Collaborator

@sabinaaledort: This pull request references Jira Issue OCPBUGS-33573, which is invalid:

  • expected the bug to target the "4.16.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

For IPsec support for encrypting traffic to external hosts OVN-Kubernetes network plugin must be configured in local gateway mode

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot added the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label May 13, 2024
@sabinaaledort
Copy link
Contributor Author

/jira refresh

@openshift-ci-robot
Copy link
Collaborator

@sabinaaledort: This pull request references Jira Issue OCPBUGS-33573, which is invalid:

  • expected the bug to target the "4.16.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@sabinaaledort
Copy link
Contributor Author

/jira refresh

@openshift-ci-robot openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels May 13, 2024
@openshift-ci-robot
Copy link
Collaborator

@sabinaaledort: This pull request references Jira Issue OCPBUGS-33573, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.16.0) matches configured target version for branch (4.16.0)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @yliu127

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested a review from yliu127 May 13, 2024 07:45
@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 15, 2024
@sabinaaledort
ztp: IPsec: configure local gateway mode
eb163a2 
For IPsec support for encrypting traffic to external hosts
OVN-Kubernetes network plugin must be configured in local
gateway mode
@sabinaaledort sabinaaledort force-pushed the configure_local_gateway_mode branch from edda7d7 to eb163a2 Compare May 15, 2024 17:38
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 15, 2024
@yuvalk
Copy link
Member

yuvalk commented May 16, 2024

For IPsec support for encrypting traffic to external hosts OVN-Kubernetes network plugin must be configured in local gateway mode

are you sure about that?
from our tests with OCP QE, it works very well in both modes.

@sabinaaledort
Copy link
Contributor Author

For IPsec support for encrypting traffic to external hosts OVN-Kubernetes network plugin must be configured in local gateway mode

are you sure about that? from our tests with OCP QE, it works very well in both modes.

Are OCP QE have a test to send packets on the IPSec tunnel from a pod? Both me and @bradyallenjohnson
tested it and this is required, also a prerequisite in the docs https://docs.openshift.com/container-platform/4.15/networking/ovn_kubernetes_network_provider/configuring-ipsec-ovn.html#nw-ovn-ipsec-north-south-enable_configuring-ipsec-ovn
Please see the bug https://issues.redhat.com/browse/OCPBUGS-33573

@yuvalk
Copy link
Member

yuvalk commented May 28, 2024

@lack / @imiller0
I'm quite surprised this is not set anywhere else
I thought RAN is using LGW only

@lack
Copy link
Member

lack commented May 30, 2024

Are there any other consequences to this change that we should document for end users (or us engineers that don't know a lot about the different routing modes)?

@bradyallenjohnson
Copy link

bradyallenjohnson commented May 31, 2024
edited
Loading

Are there any other consequences to this change that we should document for end users (or us engineers that don't know a lot about the different routing modes)?

I thought there might be performance impacts. This should be very easy to confirm. @hnhan ([email protected]) can you confirm this?
If we need to IPSec encrypt egress packets from workloads, then Local GW mode is the only way.

@yuvalk
Copy link
Member

yuvalk commented Jun 10, 2024

Are there any other consequences to this change that we should document for end users (or us engineers that don't know a lot about the different routing modes)?

in SGW network from OVS does not go through the kernel. (what is considered "offloading"):
pod---->br-int--->br-ex---->physical nic
in LGW all traffic goes through the kernel tcpip stack and is subject to it's routing:
pod -->br-int-->ovn-k8s-mp0---kernel route to ipsec tunnel--->physical nic

so LGW is subject to kernel tcpip stack in general and kernel ip routing in particular
allow much much more flexibility and utilizing full networkin featureset of the kernel (bonding, etc). one of the major benefits is probably routing between primary nic and secondary nics which is not available in SGW.
having said all that, which is nice to know, I dont think we need to document that. and LGW/SGW are well documented in the official OCP networking documents (pretty well?)

and though it might come with a cpu overhead price, I think that for RAN, for primary NIC, that is negligible (the primary nic speed is low anyhow.
which is why I believe we should separately discuss moving to LGW across the board for all deployments. it'll be much easier for Telco 5G in general (one less mode to worry about)

in any case, this specific PR is targeting IPsec envs only, that already agreed to have additional CPU, and that is how they are tested (in LGW) so I dont see any risk here.

@lack
Copy link
Member

lack commented Jun 10, 2024

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jun 10, 2024
@lack
Copy link
Member

lack commented Jun 10, 2024

/override ci/prow/e2e-aws-ran-profile

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Jun 10, 2024

@lack: Overrode contexts on behalf of lack: ci/prow/e2e-aws-ran-profile

In response to this:

/override ci/prow/e2e-aws-ran-profile

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@yuvalk
Copy link
Member

yuvalk commented Jun 11, 2024

/approve

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Jun 11, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sabinaaledort, yuvalk

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 11, 2024
@yuvalk
Copy link
Member

yuvalk commented Jun 11, 2024

/cherry-pick release-4.16

@openshift-cherrypick-robot
Copy link

@yuvalk: once the present PR merges, I will cherry-pick it on top of release-4.16 in a new PR and assign it to you.

In response to this:

/cherry-pick release-4.16

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-merge-bot openshift-merge-bot bot merged commit 70c71c0 into openshift-kni:master Jun 11, 2024
6 checks passed
@openshift-ci-robot
Copy link
Collaborator

@sabinaaledort: Jira Issue OCPBUGS-33573: All pull requests linked via external trackers have merged:

Jira Issue OCPBUGS-33573 has been moved to the MODIFIED state.

In response to this:

For IPsec support for encrypting traffic to external hosts OVN-Kubernetes network plugin must be configured in local gateway mode

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-cherrypick-robot
Copy link

@yuvalk: new pull request created: #1933

In response to this:

/cherry-pick release-4.16

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request Jun 11, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kenyis kenyis Awaiting requested review from kenyis

@sakhoury sakhoury Awaiting requested review from sakhoury

@yliu127 yliu127 Awaiting requested review from yliu127

Assignees

@lack lack

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@sabinaaledort @openshift-ci-robot @yuvalk @lack @bradyallenjohnson @openshift-cherrypick-robot @openshift-merge-robot