|
| 1 | +// Module included in the following assemblies: |
| 2 | +// |
| 3 | +// * scalability_and_performance/ztp_far_edge/ztp-advanced-install-ztp.adoc |
| 4 | + |
| 5 | +:_module-type: PROCEDURE |
| 6 | +[id="ztp-configuring-ipsec-using-ztp-and-siteconfig_{context}"] |
| 7 | += Configuring IPsec encryption for {sno} clusters using {ztp} and SiteConfig resources |
| 8 | + |
| 9 | +You can enable IPsec encryption in managed {sno} clusters that you install using {ztp} and {rh-rhacm-first}. |
| 10 | +You can encrypt external traffic between pods and IPsec endpoints external to the managed cluster. All pod-to-pod network traffic between nodes on the OVN-Kubernetes cluster network is encrypted with IPsec in Transport mode. |
| 11 | + |
| 12 | +[NOTE] |
| 13 | +==== |
| 14 | +In {product-title} {product-version}, deploying IPsec encryption by using {ztp} and {rh-rhacm} is validated for {sno} clusters only. |
| 15 | +
|
| 16 | +The {ztp} IPsec implementation assumes you are deploying to a resource constrained platform. |
| 17 | +As such, you install the feature with a single `MachineConfig` CR only, and you do not need to install the NMState Operator on the {sno} cluster as a prerequisite. |
| 18 | +==== |
| 19 | + |
| 20 | +.Prerequisites |
| 21 | + |
| 22 | +* You have installed the OpenShift CLI (`oc`). |
| 23 | +
|
| 24 | +* You have logged in to the hub cluster as a user with `cluster-admin` privileges. |
| 25 | +
|
| 26 | +* You have configured {rh-rhacm} and the hub cluster for generating the required installation and policy custom resources (CRs) for managed clusters. |
| 27 | +
|
| 28 | +* You have created a Git repository where you manage your custom site configuration data. |
| 29 | +The repository must be accessible from the hub cluster and be defined as a source repository for the Argo CD application. |
| 30 | +
|
| 31 | +* You have installed the `butane` utility, version 0.20.0 or higher. |
| 32 | +
|
| 33 | +* You have a PKCS#12 certificate for the IPsec endpoint and a CA cert in PEM format. |
| 34 | +
|
| 35 | +.Procedure |
| 36 | + |
| 37 | +. Extract the latest version of the `ztp-site-generate` container source and merge it with your repository where you manage your custom site configuration data. |
| 38 | + |
| 39 | +. Configure `optional-extra-manifest/ipsec/ipsec-endpoint-config.yaml` with the required values that configure IPsec in the cluster. For example: |
| 40 | ++ |
| 41 | +[source,yaml] |
| 42 | +---- |
| 43 | +interfaces: |
| 44 | +- name: hosta_conn |
| 45 | + type: ipsec |
| 46 | + libreswan: |
| 47 | + left: <cluster_node> <1> |
| 48 | + leftid: '%fromcert' |
| 49 | + leftmodecfgclient: false |
| 50 | + leftcert: <left_cert> <2> |
| 51 | + leftrsasigkey: '%cert' |
| 52 | + right: <external_host> <3> |
| 53 | + rightid: '%fromcert' |
| 54 | + rightrsasigkey: '%cert' |
| 55 | + rightsubnet: <external_address> <4> |
| 56 | + ikev2: insist <5> |
| 57 | + type: tunnel |
| 58 | +---- |
| 59 | +<1> Replace `<cluster_node>` with the IP address or DNS hostname of the cluster node for the cluster-side IPsec tunnel. |
| 60 | +<2> Replace `<left_cert>` with the IPsec certificate nickname. |
| 61 | +<3> Replace `<external_host>` with the external host IP address or DNS hostname. |
| 62 | +<4> Replace `<external_address>` with the IP address or subnet of the external host on the other side of the IPsec tunnel. |
| 63 | +<5> Use the IKEv2 VPN encryption protocol only. Do not use IKEv1, which is deprecated. |
| 64 | + |
| 65 | +. Add your `ca.pem` and `left_server.p12` certificates to the `optional-extra-manifest/ipsec` folder. |
| 66 | +The certificate files are required for the Network Security Services (NSS) database on each host. These files are imported as part of the Butane configuration in later steps. |
| 67 | + |
| 68 | +.. `left_server.p12`: The certificate bundle for the IPsec endpoints |
| 69 | + |
| 70 | +.. `ca.pem`: The certificate authority that you signed your certificates with |
| 71 | + |
| 72 | +. Open a shell prompt at the `optional-extra-manifest/ipsec` folder of the Git repository where you maintain your custom site configuration data. |
| 73 | + |
| 74 | +. Run the `optional-extra-manifest/ipsec/build.sh` script to generate the required Butane and `MachineConfig` CRs files. |
| 75 | ++ |
| 76 | +.Example output |
| 77 | +[source,terminal] |
| 78 | +---- |
| 79 | +out |
| 80 | + └── argocd |
| 81 | + └── example |
| 82 | + └── optional-extra-manifest |
| 83 | + └── ipsec |
| 84 | + ├── 99-ipsec-master-endpoint-config.bu <1> |
| 85 | + ├── 99-ipsec-master-endpoint-config.yaml |
| 86 | + ├── 99-ipsec-worker-endpoint-config.bu |
| 87 | + ├── 99-ipsec-worker-endpoint-config.yaml |
| 88 | + ├── build.sh |
| 89 | + ├── ca.pem <2> |
| 90 | + ├── left_server.p12 |
| 91 | + ├── enable-ipsec.yaml |
| 92 | + ├── ipsec-endpoint-config.yml |
| 93 | + └── README.md |
| 94 | +---- |
| 95 | +<1> The `ipsec/build.sh` script generates the Butane and endpoint configuration CRs. |
| 96 | +<2> You provide `ca.pem` and `left_server.p12` certificate files that are relevant to your network. |
| 97 | + |
| 98 | +. Create a `custom-manifest/` folder in the repository where you manage your custom site configuration data. |
| 99 | +Add the `enable-ipsec.yaml` and `99-ipsec-*` YAML files to the directory. |
| 100 | +For example: |
| 101 | ++ |
| 102 | +[source,terminal] |
| 103 | +---- |
| 104 | +siteconfig |
| 105 | + ├── site1-sno-du.yaml |
| 106 | + ├── extra-manifest/ |
| 107 | + └── custom-manifest |
| 108 | + ├── enable-ipsec.yaml |
| 109 | + ├── 99-ipsec-worker-endpoint-config.yaml |
| 110 | + └── 99-ipsec-master-endpoint-config.yaml |
| 111 | +---- |
| 112 | + |
| 113 | +. In your `SiteConfig` CR, add the `custom-manifest/` directory to the `extraManifests.searchPaths` field. |
| 114 | +For example: |
| 115 | ++ |
| 116 | +[source,yaml] |
| 117 | +---- |
| 118 | +clusters: |
| 119 | +- clusterName: "site1-sno-du" |
| 120 | + networkType: "OVNKubernetes" |
| 121 | + extraManifests: |
| 122 | + searchPaths: |
| 123 | + - extra-manifest/ |
| 124 | + - custom-manifest/ |
| 125 | +---- |
| 126 | + |
| 127 | +. Commit the `SiteConfig` CR changes and updated files in your Git repository and push the changes to provision the managed cluster and configure IPsec encryption. |
| 128 | ++ |
| 129 | +The Argo CD pipeline detects the changes and begins the managed cluster deployment. |
| 130 | ++ |
| 131 | +During cluster provisioning, the {ztp} pipeline appends the CRs in the `/custom-manifest` directory to the default set of extra manifests stored in `extra-manifest/`. |
| 132 | + |
| 133 | +.Verification |
| 134 | + |
| 135 | +To verify that the IPsec encryption is successfully applied in the managed {sno} cluster, perform the following steps: |
| 136 | + |
| 137 | +. Start a debug pod for the managed cluster by running the following command: |
| 138 | ++ |
| 139 | +[source,terminal] |
| 140 | +---- |
| 141 | +$ oc debug node/<node_name> |
| 142 | +---- |
| 143 | + |
| 144 | +. Check that the IPsec policy is applied in the cluster node: |
| 145 | ++ |
| 146 | +[source,terminal] |
| 147 | +---- |
| 148 | +sh-5.1# ip xfrm policy |
| 149 | +---- |
| 150 | ++ |
| 151 | +.Example output |
| 152 | +[source,terminal] |
| 153 | +---- |
| 154 | +src 172.16.123.0/24 dst 10.1.232.10/32 |
| 155 | + dir out priority 1757377 ptype main |
| 156 | + tmpl src 10.1.28.190 dst 10.1.232.10 |
| 157 | + proto esp reqid 16393 mode tunnel |
| 158 | +src 10.1.232.10/32 dst 172.16.123.0/24 |
| 159 | + dir fwd priority 1757377 ptype main |
| 160 | + tmpl src 10.1.232.10 dst 10.1.28.190 |
| 161 | + proto esp reqid 16393 mode tunnel |
| 162 | +src 10.1.232.10/32 dst 172.16.123.0/24 |
| 163 | + dir in priority 1757377 ptype main |
| 164 | + tmpl src 10.1.232.10 dst 10.1.28.190 |
| 165 | + proto esp reqid 16393 mode tunnel |
| 166 | +---- |
| 167 | + |
| 168 | +. Check that the IPsec tunnel is up and connected: |
| 169 | ++ |
| 170 | +[source,terminal] |
| 171 | +---- |
| 172 | +sh-5.1# ip xfrm state |
| 173 | +---- |
| 174 | ++ |
| 175 | +.Example output |
| 176 | +[source,terminal] |
| 177 | +---- |
| 178 | +src 10.1.232.10 dst 10.1.28.190 |
| 179 | + proto esp spi 0xa62a05aa reqid 16393 mode tunnel |
| 180 | + replay-window 0 flag af-unspec esn |
| 181 | + auth-trunc hmac(sha1) 0x8c59f680c8ea1e667b665d8424e2ab749cec12dc 96 |
| 182 | + enc cbc(aes) 0x2818a489fe84929c8ab72907e9ce2f0eac6f16f2258bd22240f4087e0326badb |
| 183 | + anti-replay esn context: |
| 184 | + seq-hi 0x0, seq 0x0, oseq-hi 0x0, oseq 0x0 |
| 185 | + replay_window 128, bitmap-length 4 |
| 186 | + 00000000 00000000 00000000 00000000 |
| 187 | +src 10.1.28.190 dst 10.1.232.10 |
| 188 | + proto esp spi 0x8e96e9f9 reqid 16393 mode tunnel |
| 189 | + replay-window 0 flag af-unspec esn |
| 190 | + auth-trunc hmac(sha1) 0xd960ddc0a6baaccb343396a51295e08cfd8aaddd 96 |
| 191 | + enc cbc(aes) 0x0273c02e05b4216d5e652de3fc9b3528fea94648bc2b88fa01139fdf0beb27ab |
| 192 | + anti-replay esn context: |
| 193 | + seq-hi 0x0, seq 0x0, oseq-hi 0x0, oseq 0x0 |
| 194 | + replay_window 128, bitmap-length 4 |
| 195 | + 00000000 00000000 00000000 00000000 |
| 196 | +---- |
| 197 | + |
| 198 | +. Ping a known IP in the external host subnet. |
| 199 | +For example, ping an IP in the `rightsubnet` range that you set in `ipsec/ipsec-endpoint-config.yaml`: |
| 200 | ++ |
| 201 | +[source,terminal] |
| 202 | +---- |
| 203 | +sh-5.1# ping 172.16.110.8 |
| 204 | +---- |
| 205 | ++ |
| 206 | +.Example output |
| 207 | +[source,terminal] |
| 208 | +---- |
| 209 | +sh-5.1# ping 172.16.110.8 |
| 210 | +PING 172.16.110.8 (172.16.110.8) 56(84) bytes of data. |
| 211 | +64 bytes from 172.16.110.8: icmp_seq=1 ttl=64 time=153 ms |
| 212 | +64 bytes from 172.16.110.8: icmp_seq=2 ttl=64 time=155 ms |
| 213 | +---- |
0 commit comments