You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently the network operator brings up ovn-ipsec-host daemonset pod once
the ipsec machine config plugin is installed on the node. The pod spins up
ovs-monitor-ipsec script to create/update mesh of IPsec connections across
the nodes. This makes ipsec connections to be established for the existing
nodes a bit later after kubelet is started, but by the time workloads are
scheduled on the node started hitting traffic drops because of unavailability
of IPsec connections between nodes. This makes IPsec jobs in CI so unstable
and monitor jobs always failing during IPsec upgrade.
The FDP story (https://issues.redhat.com/browse/FDP-1051) gets openvswitch-ipsec
systemd service (runs ovs-monitor-ipsec) with required configurable parameters
for network operator. It's available with OVS 3.5 version, So OCP can use this
service running on the host for configuring IPsec for east west traffic.
Hence this commit includes openvswitch-ipsec package to be part of the ipsec
extension, ovs-monitor-ipsec to be run as a systemd service on the node and
ovn-ipsec-host pod would now only be used to configure the service.
This provides more flexibility in managing IPsec connections created by OVN
and OVS, helps to bring up existing IPsec connections timely before kubelet
service comes up upon node reboot scenarios.
Signed-off-by: Periyasamy Palanisamy <[email protected]>
0 commit comments