Skip to content

OCPBUGS-22844: Added pk12util tool command to the nw-ovn-ipsec-north-… #96542

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
+25 −17
Open

OCPBUGS-22844: Added pk12util tool command to the nw-ovn-ipsec-north-… #96542

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 25 additions & 17 deletions modules/nw-ovn-ipsec-north-south-enable.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,9 @@ After you apply the machine config, the Machine Config Operator reboots affected
* You have installed the `butane` utility on your local computer.
* You have installed the NMState Operator on the cluster.
* You logged in to the cluster as a user with `cluster-admin` privileges.
* You have an existing PKCS#12 certificate for the IPsec endpoint and a CA cert in PEM format.
* You have an existing PKCS#12 certificate for the IPsec endpoint and a CA cert in Privacy Enhanced Mail (PEM) format.
* You enabled IPsec in either `Full` or `External` mode on your cluster.
* The OVN-Kubernetes network plugin must be configured in local gateway mode, where `ovnKubernetesConfig.gatewayConfig.routingViaHost=true`.
* You configured the OVN-Kubernetes network plugin in local gateway mode, where `ovnKubernetesConfig.gatewayConfig.routingViaHost=true`.

.Procedure

Expand All @@ -33,7 +33,7 @@ After you apply the machine config, the Machine Config Operator reboots affected
$ oc get nodes
----

.. Create a file named `ipsec-config.yaml` that contains a node network configuration policy for the NMState Operator, such as in the following examples. For an overview about `NodeNetworkConfigurationPolicy` objects, see link:https://nmstate.io/kubernetes-nmstate/[The Kubernetes NMState project].
.. Create a file named `ipsec-config.yaml` that has a node network configuration policy for the NMState Operator, such as in the following examples. For an overview about `NodeNetworkConfigurationPolicy` objects, see link:https://nmstate.io/kubernetes-nmstate/[The Kubernetes NMState project].
+
--
.Example NMState IPsec transport configuration
Expand Down Expand Up @@ -63,10 +63,10 @@ spec:
ikev2: insist
type: transport
----
<1> Specifies the host name to apply the policy to. This host serves as the left side host in the IPsec configuration.
<1> Specifies the hostname to apply the policy to. This host serves as the left side host in the IPsec configuration.
<2> Specifies the name of the interface to create on the host.
<3> Specifies the host name of the cluster node that terminates the IPsec tunnel on the cluster side. The name should match SAN `[Subject Alternate Name]` from your supplied PKCS#12 certificates.
<4> Specifies the external host name, such as `host.example.com`. The name should match the SAN `[Subject Alternate Name]` from your supplied PKCS#12 certificates.
<3> Specifies the hostname of the cluster node that terminates the IPsec tunnel on the cluster side. The name should match SAN `[Subject Alternate Name]` from your supplied PKCS#12 certificates.
<4> Specifies the external hostname, such as `host.example.com`. The name should match the Storage Area Network (SAN) `[Subject Alternate Name]` from your supplied PKCS#12 certificates.
<5> Specifies the IP address of the external host, such as `10.1.2.3/32`.

.Example NMState IPsec tunnel configuration
Expand Down Expand Up @@ -96,10 +96,10 @@ spec:
ikev2: insist
type: tunnel
----
<1> Specifies the host name to apply the policy to. This host serves as the left side host in the IPsec configuration.
<1> Specifies the hostname to apply the policy to. This host serves as the left side host in the IPsec configuration.
<2> Specifies the name of the interface to create on the host.
<3> Specifies the host name of the cluster node that terminates the IPsec tunnel on the cluster side. The name should match SAN `[Subject Alternate Name]` from your supplied PKCS#12 certificates.
<4> Specifies the external host name, such as `host.example.com`. The name should match the SAN `[Subject Alternate Name]` from your supplied PKCS#12 certificates.
<3> Specifies the hostname of the cluster node that terminates the IPsec tunnel on the cluster side. The name should match SAN `[Subject Alternate Name]` from your supplied PKCS#12 certificates.
<4> Specifies the external hostname, such as `host.example.com`. The name should match the SAN `[Subject Alternate Name]` from your supplied PKCS#12 certificates.
<5> Specifies the IP address of the external host, such as `10.1.2.3/32`.
--

Expand All @@ -110,16 +110,23 @@ spec:
$ oc create -f ipsec-config.yaml
----

. Provide the following certificate files to add to the Network Security Services (NSS) database on each host. These files are imported as part of the Butane configuration in later steps.
. Give the following certificate files to add to the Network Security Services (NSS) database on each host. These files are imported as part of the Butane configuration in the next steps.
+
--
* `left_server.p12`: The certificate bundle for the IPsec endpoints
* `ca.pem`: The certificate authority that you signed your certificates with
--

. Create a machine config to add your certificates to the cluster:

.. To create Butane config files for the control plane and worker nodes, enter the following command:
+
.. Use the `pk12util` tool, which comes prepackaged with {op-system-base-full}, to specify a password that protects `PKCS#12` files by entering the following command. Ensure that you replace the `<password>` value with your password.
+
[source,terminal]
----
$ pk12util -W "<password>" -i /etc/pki/certs/left_server.p12 -d /var/lib/ipsec/nss/
----
+
.. To create Butane config files for the control plane and compute nodes, enter the following command:
+
[NOTE]
====
Expand Down Expand Up @@ -178,8 +185,8 @@ $ for role in master worker; do
EOF
done
----

.. To transform the Butane files that you created in an earlier step into machine configs, enter the following command:
+
.. To transform the Butane files that you created in the earlier step into machine configs, enter the following command:
+
[source,terminal]
----
Expand All @@ -199,7 +206,7 @@ done
+
[IMPORTANT]
====
As the Machine Config Operator (MCO) updates machines in each machine config pool, it reboots each node one by one. You must wait until all the nodes to update before external IPsec connectivity is available.
As the Machine Config Operator (MCO) updates machines in each machine config pool, it reboots each node one by one. You must wait for all the nodes to update before external IPsec connectivity is available.
====

. Check the machine config pool status by entering the following command:
Expand All @@ -217,6 +224,7 @@ By default, the MCO updates one machine per pool at a time, causing the total ti
====

. To confirm that IPsec machine configs rolled out successfully, enter the following commands:
+
.. Confirm the creation of the IPsec machine configs:
+
[source,terminal]
Expand All @@ -230,8 +238,8 @@ $ oc get mc | grep ipsec
80-ipsec-master-extensions 3.2.0 6d15h
80-ipsec-worker-extensions 3.2.0 6d15h
----

.. Confirm the application of the IPsec extension to control plane nodes. Example output would show `2`.
+
.. Confirm you have applied the IPsec extension to control plane nodes:
+
[source,terminal]
----
Expand Down