Merge pull request #38819 from jboxman-rh/OSDOCS-2098

OSDOCS-2098: IPsec can be enabled at runtime

Author: jab-rh

_topic_maps/_topic_map.yml

@@ -1134,8 +1134,8 @@ Topics:
     File: rollback-to-openshift-sdn
   - Name: Converting to IPv4/IPv6 dual stack networking
     File: converting-to-dual-stack
-  - Name: IPsec encryption configuration
-    File: about-ipsec-ovn
+  - Name: Configuring IPsec encryption
+    File: configuring-ipsec-ovn
   - Name: Configuring an egress firewall for a project
     File: configuring-egress-firewall-ovn
   - Name: Viewing an egress firewall for a project

modules/nw-operator-cr.adoc

@@ -270,7 +270,7 @@ ifndef::ibm-cloud[]
 |`object`
 |
 ifndef::operator[]
-Specify an empty object to enable IPsec encryption. This value cannot be changed after cluster installation.
+Specify an empty object to enable IPsec encryption.
 endif::operator[]
 ifdef::operator[]
 If the field is present, IPsec is enabled for the cluster.

modules/nw-ovn-ipsec-certificates.adoc

@@ -2,6 +2,7 @@
 //
 // * networking/ovn_kubernetes_network_provider/about-ipsec-ovn.adoc
 
+:_content-type: CONCEPT
 [id="nw-ovn-ipsec-certificates_{context}"]
 = Security certificate generation and rotation
 

modules/nw-ovn-ipsec-disable.adoc

@@ -0,0 +1,31 @@
+// Module included in the following assemblies:
+//
+// * networking/ovn_kubernetes_network_provider/configuring-ipsec-ovn.adoc
+
+:_content-type: PROCEDURE
+[id="nw-ovn-ipsec-disable_{context}"]
+= Disabling IPsec encryption
+
+As a cluster administrator, you can disable IPsec encryption only if you enabled IPsec after cluster installation.
+
+[NOTE]
+====
+If you enabled IPsec when you installed your cluster, you cannot disable IPsec with this procedure.
+====
+
+.Prerequisites
+
+* Install the OpenShift CLI (`oc`).
+* Log in to the cluster with a user with `cluster-admin` privileges.
+
+.Procedure
+
+. To disable IPsec encryption, enter the following command:
++
+[source,terminal]
+----
+$ oc patch networks.operator.openshift.io/cluster --type=json \
+  -p='[{"op":"remove", "path":"/spec/defaultNetwork/ovnKubernetesConfig/ipsecConfig"}]'
+----
+
+. Optional: You can increase the size of your cluster MTU by `46` bytes because there is no longer any overhead from the IPsec ESP header in IP packets.

modules/nw-ovn-ipsec-enable.adoc

@@ -0,0 +1,25 @@
+// Module included in the following assemblies:
+//
+// * networking/ovn_kubernetes_network_provider/configuring-ipsec-ovn.adoc
+
+:_content-type: PROCEDURE
+[id="nw-ovn-ipsec-enable_{context}"]
+= Enabling IPsec encryption
+
+As a cluster administrator, you can enable IPsec encryption after cluster installation.
+
+.Prerequisites
+
+* Install the OpenShift CLI (`oc`).
+* Log in to the cluster with a user with `cluster-admin` privileges.
+* You have reduced the size of your cluster MTU by `46` bytes to allow for the overhead of the IPsec ESP header.
+
+.Procedure
+
+* To enable IPsec encryption, enter the following command:
++
+[source,terminal]
+----
+$ oc patch networks.operator.openshift.io/cluster --type=json \
+-p='[{"op":"remove", "path":"/spec/defaultNetwork/ovnKubernetesConfig/ipsecConfig"}]'
+----

modules/nw-ovn-ipsec-encryption.adoc

@@ -2,6 +2,7 @@
 //
 // * networking/ovn_kubernetes_network_provider/about-ipsec-ovn.adoc
 
+:_content-type: CONCEPT
 [id="nw-ovn-ipsec-encryption_{context}"]
 = Encryption protocol and tunnel mode for IPsec
 

modules/nw-ovn-ipsec-traffic.adoc

@@ -2,6 +2,7 @@
 //
 // * networking/ovn_kubernetes_network_provider/about-ipsec-ovn.adoc
 
+:_content-type: CONCEPT
 [id="nw-ovn-ipsec-traffic_{context}"]
 = Types of network traffic flows encrypted by IPsec
 

modules/nw-ovn-ipsec-verification.adoc

@@ -0,0 +1,49 @@
+// Module included in the following assemblies:
+//
+// * networking/ovn_kubernetes_network_provider/about-ipsec-ovn.adoc
+
+:_content-type: PROCEDURE
+[id="nw-ovn-ipsec-verification_{context}"]
+= Verifying that IPsec is enabled
+
+As a cluster administrator, you can verify that IPsec is enabled.
+
+.Verification
+
+. To find the names of the OVN-Kubernetes control plane pods, enter the following command:
++
+[source,terminal]
+----
+$ oc get pods -n openshift-ovn-kubernetes | grep ovnkube-master
+----
++
+.Example output
+[source,terminal]
+----
+ovnkube-master-4496s        1/1     Running   0          6h39m
+ovnkube-master-d6cht        1/1     Running   0          6h42m
+ovnkube-master-skblc        1/1     Running   0          6h51m
+ovnkube-master-vf8rf        1/1     Running   0          6h51m
+ovnkube-master-w7hjr        1/1     Running   0          6h51m
+ovnkube-master-zsk7x        1/1     Running   0          6h42m
+----
+
+. Verify that IPsec is enabled on your cluster:
++
+[source,terminal]
+----
+$ oc -n openshift-ovn-kubernetes -c nbdb rsh ovnkube-master-<XXXXX> \
+  ovn-nbctl --no-leader-only get nb_global . ipsec
+----
++
+--
+where:
+
+`<XXXXX>`:: Specifies the random sequence of letters for a pod from the previous step.
+--
++
+.Example output
+[source,text]
+----
+true
+----

networking/ovn_kubernetes_network_provider/about-ipsec-ovn.adoc

@@ -32,5 +32,5 @@ include::modules/nw-ovn-kuberentes-limitations.adoc[leveloffset=+1]
 * xref:../../networking/network_policy/about-network-policy.adoc#about-network-policy[About network policy]
 * xref:../../networking/network_policy/logging-network-policy.adoc#logging-network-policy[Logging network policy events]
 * xref:../../networking/ovn_kubernetes_network_provider/enabling-multicast.adoc#nw-ovn-kubernetes-enabling-multicast[Enabling multicast for a project]
-* xref:../../networking/ovn_kubernetes_network_provider/about-ipsec-ovn.adoc#about-ipsec-ovn[IPsec encryption configuration]
+* xref:../../networking/ovn_kubernetes_network_provider/configuring-ipsec-ovn.adoc#configuring-ipsec-ovn[Configuring IPsec encryption]
 * xref:../../rest_api/operator_apis/network-operator-openshift-io-v1.adoc#network-operator-openshift-io-v1[Network [operator.openshift.io/v1\]]