Merge pull request #27911 from jboxman/OSDOCS-1491

OSDOCS#1491 - Add IPsec support

Author: jboxman

_topic_map.yml

@@ -878,6 +878,8 @@ Topics:
     File: migrate-from-openshift-sdn
   - Name: Rollback to the OpenShift SDN cluster network provider
     File: rollback-to-openshift-sdn
+  - Name: IPsec encryption configuration
+    File: about-ipsec-ovn
   - Name: Configuring an egress firewall for a project
     File: configuring-egress-firewall-ovn
   - Name: Viewing an egress firewall for a project

modules/nw-operator-cr.adoc

@@ -99,7 +99,7 @@ ifdef::openshift-origin[]
 endif::openshift-origin[]
 
 [id="nw-operator-configuration-parameters-for-openshift-sdn_{context}"]
-== Configuration parameters for the OpenShift SDN default CNI network provider
+== Configuration parameters for the OpenShift SDN CNI cluster network provider
 
 The following YAML object describes the configuration parameters for
 the OpenShift SDN default Container Network Interface (CNI) network provider.
@@ -165,7 +165,7 @@ value is normally configured automatically.
 endif::operator[]
 
 [id="nw-operator-configuration-parameters-for-ovn-sdn_{context}"]
-== Configuration parameters for the OVN-Kubernetes default CNI network provider
+== Configuration parameters for the OVN-Kubernetes CNI cluster network provider
 
 The following YAML object describes the configuration parameters for the OVN-Kubernetes default CNI network provider.
 
@@ -180,6 +180,7 @@ defaultNetwork:
   ovnKubernetesConfig: <2>
     mtu: 1400 <3>
     genevePort: 6081 <4>
+    ipsecConfig: {} <5>
 ----
 ifndef::operator[]
 <1> Specified in the `install-config.yaml` file.
@@ -211,6 +212,15 @@ endif::operator[]
 
 <4> The UDP port for the Geneve overlay network.
 
+ifndef::operator[]
+<5> Specify an empty object to enable IPsec encryption.
+endif::operator[]
+
+ifdef::operator[]
+<5> If the field is present, IPsec is enabled for the cluster.
+endif::operator[]
+
+
 [id="nw-operator-example-cr_{context}"]
 == Cluster Network Operator example configuration
 

modules/nw-ovn-ipsec-certificates.adoc

@@ -0,0 +1,10 @@
+// Module included in the following assemblies:
+//
+// * networking/ovn_kubernetes_network_provider/about-ipsec-ovn.adoc
+
+[id="nw-ovn-ipsec-certificates_{context}"]
+= Security certificate generation and rotation
+
+The Cluster Network Operator (CNO) generates a self-signed X.509 certificate authority (CA) that is used by IPsec for encryption. Certificate signing requests (CSRs) from each node are automatically fulfilled by the CNO.
+
+The CA is valid for 10 years. The individual node certificates are valid for 5 years and are automatically rotated after 4 1/2 years elapse.

modules/nw-ovn-ipsec-encryption.adoc

@@ -0,0 +1,10 @@
+// Module included in the following assemblies:
+//
+// * networking/ovn_kubernetes_network_provider/about-ipsec-ovn.adoc
+
+[id="nw-ovn-ipsec-encryption_{context}"]
+= Encryption protocol and tunnel mode for IPsec
+
+The encrypt cipher used is `AES-GCM-16-256`. The integrity check value (ICV) is `16` bytes. The key length is `256` bits.
+
+The IPsec tunnel mode used is _Transport mode_, a mode that encrypts end-to-end communication.

modules/nw-ovn-ipsec-traffic.adoc

@@ -0,0 +1,15 @@
+// Module included in the following assemblies:
+//
+
+[id="nw-ovn-ipsec-traffic_{context}"]
+= Types of network traffic flows encrypted by IPsec
+
+With IPsec enabled, only the following network traffic flows between pods are encrypted:
+
+* Traffic between pods on the cluster network
+* Traffic from a pod on the host network to a pod on the cluster network
+
+The following traffic flows are not encrypted:
+
+* Traffic between pods on the host network
+* Traffic from a pod on the cluster network to a pod on the host network

modules/nw-ovn-kubernetes-matrix.adoc

@@ -19,6 +19,8 @@ ifeval::["{context}" == "about-ovn-kubernetes"]
 
 |Egress router|Not supported|Supported
 
+|IPsec encryption|Supported|Not supported
+
 |Kubernetes network policy|Supported|Partially supported ^[2]^
 
 |Multicast|Supported|Supported
@@ -32,6 +34,8 @@ ifeval::["{context}" == "about-openshift-sdn"]
 
 |Egress router|Supported|Not supported
 
+|IPsec encryption|Not supported|Supported
+
 |Kubernetes network policy|Partially supported ^[2]^|Supported
 
 |Multicast|Supported|Supported

networking/ovn_kubernetes_network_provider/about-ipsec-ovn.adoc

@@ -0,0 +1,20 @@
+[id="about-ipsec-ovn"]
+= IPsec encryption configuration
+include::modules/common-attributes.adoc[]
+:context: about-ipsec-ovn
+
+toc::[]
+
+With IPsec enabled, all network traffic between nodes on the OVN-Kubernetes Container Network Interface (CNI) cluster network travels through an encrypted tunnel.
+
+IPsec is disabled by default.
+
+[NOTE]
+====
+IPsec encryption can be enabled only during cluster installation and cannot be disabled after it is enabled.
+For installation documentation, refer to xref:../../installing/installing-preparing.adoc#installing-preparing[Selecting a cluster installation method and preparing it for users].
+====
+
+include::modules/nw-ovn-ipsec-traffic.adoc[leveloffset=+1]
+include::modules/nw-ovn-ipsec-encryption.adoc[leveloffset=+1]
+include::modules/nw-ovn-ipsec-certificates.adoc[leveloffset=+1]

networking/ovn_kubernetes_network_provider/about-ovn-kubernetes.adoc

@@ -18,4 +18,5 @@ include::modules/nw-ovn-kubernetes-matrix.adoc[leveloffset=+1]
 * xref:../../networking/ovn_kubernetes_network_provider/configuring-egress-firewall-ovn.adoc#configuring-egress-firewall-ovn[Configuring an egress firewall for a project]
 * xref:../../networking/network_policy/about-network-policy.adoc#about-network-policy[About network policy]
 * xref:../../networking/ovn_kubernetes_network_provider/enabling-multicast.adoc#nw-ovn-kubernetes-enabling-multicast[Enabling multicast for a project]
+* xref:../../networking/ovn_kubernetes_network_provider/about-ipsec-ovn.adoc#about-ipsec-ovn[IPsec encryption configuration]
 * xref:../../rest_api/operator_apis/network-operator-openshift-io-v1.adoc#network-operator-openshift-io-v1[Network [operator.openshift.io/v1]]