[DNM] Configure ovnkube-node and ovn-ipsec for IPsec Child SA metric

[pperiyasamy]

cc @SachinNinganure

Summary by CodeRabbit

• New Features
  • Added support for enabling IPsec in OVN-Kubernetes deployments
  • Configured required system paths and volumes for IPsec daemon operation in both managed and self-hosted cluster environments

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 86d1a0b2-22e8-49f7-893f-0412f014096e

📥 Commits

Reviewing files that changed from the base of the PR and between 681d5ed and 4227e6c.

📒 Files selected for processing (1)

• bindata/network/ovn-kubernetes/common/ipsec-host.yaml

💤 Files with no reviewable changes (1)

• bindata/network/ovn-kubernetes/common/ipsec-host.yaml

---

Walkthrough

The PR adds IPsec enablement to OVN-Kubernetes node components: the startup script conditionally passes --enable-ipsec to the ovnkube binary, and the /var/run/pluto host directory is mounted into the ovnkube-controller container (managed and self-hosted manifests) and the ovn-ipsec container (containerized manifest), all gated on .OVNIPsecEnable. The PR also removes obsolete /usr/sbin and /usr/libexec mounts from the ipsec-host DaemonSet.

Changes

OVN IPsec enablement across node components

Layer / File(s)	Summary
--enable-ipsec CLI flag in startup script bindata/network/ovn-kubernetes/common/008-script-lib.yaml	Initializes ipsec_enable_flag as empty, sets it to --enable-ipsec when .OVNIPsecEnable is true, and appends ${ipsec_enable_flag} to the ovnkube exec argument list.
Pluto volume mount in containerized ipsec container bindata/network/ovn-kubernetes/common/ipsec-containerized.yaml	Adds a volumeMount for /var/run/pluto to the ovn-ipsec container and defines the corresponding host-var-run-pluto hostPath volume with DirectoryOrCreate type.
Pluto volume mount in managed ovnkube-controller bindata/network/ovn-kubernetes/managed/ovnkube-node.yaml	Under .OVNIPsecEnable condition, adds a read-only volumeMount for /var/run/pluto to the ovnkube-controller container and defines the host-var-run-pluto hostPath volume in the pod spec.
Pluto volume mount in self-hosted ovnkube-controller bindata/network/ovn-kubernetes/self-hosted/ovnkube-node.yaml	Under .OVNIPsecEnable condition, adds a read-only volumeMount for /var/run/pluto to the ovnkube-controller container and defines the host-var-run-pluto hostPath volume in the pod spec.
Remove unused sbin and libexec mounts from ipsec-host bindata/network/ovn-kubernetes/common/ipsec-host.yaml	Removes the /usr/sbin and /usr/libexec host directory mounts from the ovn-ipsec container volumeMounts and removes the corresponding hostPath volume definitions from the DaemonSet spec.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name	Status	Explanation	Resolution
No-Sensitive-Data-In-Logs	❌ Error	The bash scripts (ipsec-containerized.yaml, ipsec-host.yaml) have 'set -x' enabled, which logs all shell commands. They execute 'openssl req' commands with CN=${cn} where cn is the Kubernetes node'...	Disable command tracing for sections that handle internal hostnames, or exclude CN from logged commands by redirecting output or using set +x around sensitive operations.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly describes the main changes involving IPsec configuration for ovnkube-node and ovn-ipsec, though it is marked [DNM] indicating work-in-progress status.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Check is not applicable: PR modifies only YAML Kubernetes manifests, not Ginkgo test files or any Go test code.
Test Structure And Quality	✅ Passed	This PR contains only YAML configuration file changes for IPsec in OVN-Kubernetes; no Ginkgo test files are modified, making the test code quality check not applicable.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR; changes are YAML manifests and scripts for IPsec configuration. MicroShift test compatibility check does not apply.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR contains only infrastructure/deployment manifest changes (YAML files) with no Ginkgo e2e tests added, so the SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR changes only add conditional IPsec volume mounts to DaemonSets. No problematic scheduling constraints (anti-affinity with maxUnavailable:0, topology spread constraints, control-plane-targeting s...
Ote Binary Stdout Contract	✅ Passed	PR modifies only YAML configuration files in bindata/, not Go source code. OTE stdout contract check applies to Go code execution in binaries, not YAML configuration data.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests are present in this PR. All changes are YAML configuration files for OVN-Kubernetes and IPsec manifests, not test code.
No-Weak-Crypto	✅ Passed	PR contains only Kubernetes manifests and shell script configs for IPsec setup; no weak crypto algorithms, custom crypto implementations, or timing-sensitive comparisons detected.
Container-Privileges	✅ Passed	PR adds IPsec volume mounts and daemon configurations with pre-existing, justified privileged: true, hostPID, hostNetwork settings for encryption/tunneling. No new privilege escalations, SYS_ADMIN,...

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: pperiyasamy
Once this PR has been reviewed and has the lgtm label, please assign kyrtapz for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[pperiyasamy]

/testwith openshift/cluster-network-operator/master/e2e-ovn-ipsec-step-registry openshift/ovn-kubernetes#3259

[openshift-ci]

@pperiyasamy: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/5.0-upgrade-from-stable-4.22-e2e-azure-ovn-upgrade	4227e6c	link	false	/test 5.0-upgrade-from-stable-4.22-e2e-azure-ovn-upgrade
ci/prow/e2e-ovn-ipsec-step-registry	4227e6c	link	true	/test e2e-ovn-ipsec-step-registry
ci/prow/e2e-aws-ovn-rhcos10-techpreview	4227e6c	link	false	/test e2e-aws-ovn-rhcos10-techpreview
ci/prow/e2e-aws-ovn-fdp-qe	4227e6c	link	true	/test e2e-aws-ovn-fdp-qe
ci/prow/hypershift-e2e-aks	4227e6c	link	true	/test hypershift-e2e-aks
ci/prow/e2e-metal-ipi-ovn-ipv6-ipsec	4227e6c	link	true	/test e2e-metal-ipi-ovn-ipv6-ipsec
ci/prow/e2e-aws-ovn-upgrade-ipsec	4227e6c	link	true	/test e2e-aws-ovn-upgrade-ipsec
ci/prow/e2e-metal-ipi-ovn-dualstack-bgp-local-gw	4227e6c	link	true	/test e2e-metal-ipi-ovn-dualstack-bgp-local-gw
ci/prow/5.0-upgrade-from-stable-4.22-e2e-gcp-ovn-upgrade	4227e6c	link	false	/test 5.0-upgrade-from-stable-4.22-e2e-gcp-ovn-upgrade

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.