Add ipsec connect wait service #4854
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: pperiyasamy The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/assign @tssurya |
|
/assign @jcaamano |
|
/assign @huiran0826 |
pperiyasamy
force-pushed
the
ipsec-connect-wait
branch
from
3d9767a to
e3c4fef
Compare
When node goes for a reboot on an IPsec enabled cluster, once it comes up, libreswan parses /etc/ipsec.d/openshift.conf file and establishes SAs with peers and it may be still in progress even after kubelet is started, pod scheduled on this node would fail communicating with other pods until IPsec tunnels are established. So this commit adds wait-for-ipsec-connect.service systemd service which depends on ipsecenabler.service created by IPsec machine config. This new service loads existing connections into libreswan with auto=start option for every connection and waits upto 3 minutes until IPsec tunnels are established. This service is added into the base template to avoid two reboots during upgrade if it goes into IPsec machine configs rendered by CNO. TODO: observe ipsec-upgrade behavior with this in CI and need to revisit the logic as it needs to be enabled only on IPsec enabled clusters. Signed-off-by: Periyasamy Palanisamy <[email protected]>
It is for troubleshooting purpose Signed-off-by: Periyasamy Palanisamy <[email protected]>
pperiyasamy
force-pushed
the
ipsec-connect-wait
branch
from
e3c4fef to
19c2998
Compare
|
@pperiyasamy: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
When node goes for a reboot on an IPsec enabled cluster, once it comes up, libreswan parses /etc/ipsec.d/openshift.conf file and establishes SAs with peers and it may be still in progress even after kubelet is started, pod scheduled on this node would fail communicating with other pods until IPsec tunnels are established.
So this commit adds wait-for-ipsec-connect.service systemd service which depends on ipsecenabler.service created by IPsec machine config. This new service loads existing connections into libreswan with auto=start option for every connection and waits upto 3 minutes until IPsec tunnels are established. This service is added into the base template to avoid two reboots during upgrade if it goes into IPsec machine configs rendered by CNO.
TODO: observe ipsec-upgrade behavior with this in CI and need to revisit the logic as it needs to be enabled only on IPsec enabled clusters.