weixin_39683598
weixin_39683598
2020-11-22 16:27

Introduce networkMode config option and ipsecEncap mode for Agent

Introduce networkMode config option, which now supports two modes: encapNormal (for normal overlay tunnels) and ipsecEncap (for IPSec encyption of tunnel traffic). Later, there could be more modes added like noEncap, hybrid (encapsulation only for traffic across Nodes in the different underlay subnets) passthrough (use cloud native networking / underlay network for connectivity), etc.. Remove the enableIPSecTunnel option and use ipsecEncap networkMode to enable IPSec encyption. This is also to avoid misconfiguration of IPSec encyption when later we have noEncap and other modes - IPSec could be enabled for only tunnel traffic.

该提问来源于开源项目:vmware-tanzu/antrea

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

10条回答

  • s2603898260 叨陪鲤 1月前

    我感觉做错片场了,完全插不上嘴

    点赞 评论 复制链接分享
  • weixin_39884074 weixin_39884074 4月前

    Thanks for your PR. Unit tests and code linters are run automatically every time the PR is updated. E2e, conformance and network policy tests can only be triggered by a member of the vmware-tanzu organization. Regular contributors to the project should join the org.

    The following commands are available: * /test-e2e: to trigger e2e tests. * /skip-e2e: to skip e2e tests. * /test-conformance: to trigger conformance tests. * /skip-conformance: to skip conformance tests. * /test-networkpolicy: to trigger networkpolicy tests. * /skip-networkpolicy: to skip networkpolicy tests. * /test-all: to trigger all tests. * /skip-all: to skip all tests.

    These commands can only be run by members of the vmware-tanzu organization.

    点赞 评论 复制链接分享
  • weixin_39683598 weixin_39683598 4月前

    -orlando : like to learn your thoughts on the network mode config option. See also discussion over issue #237.

    点赞 评论 复制链接分享
  • weixin_39884074 weixin_39884074 4月前

    Thanks for your PR. Unit tests and code linters are run automatically every time the PR is updated. E2e, conformance and network policy tests can only be triggered by a member of the vmware-tanzu organization. Regular contributors to the project should join the org.

    The following commands are available: * /test-e2e: to trigger e2e tests. * /skip-e2e: to skip e2e tests. * /test-conformance: to trigger conformance tests. * /skip-conformance: to skip conformance tests. * /test-networkpolicy: to trigger networkpolicy tests. * /skip-networkpolicy: to skip networkpolicy tests. * /test-all: to trigger all tests. * /skip-all: to skip all tests.

    These commands can only be run by members of the vmware-tanzu organization.

    点赞 评论 复制链接分享
  • weixin_39779467 weixin_39779467 4月前

    -orlando : like to learn your thoughts on the network mode config option. See also discussion over issue #237.

    Just personal feeling, the supported values are not very symmetric, I mean ipsecEncap, thinking whether to encrypt is in not the same dimension as encap, noEncap, hybrid, passthrough (and technically hybrid could enable IPSec too?). I feel the concern of misconfiguration of IPSec encryption when later we have noEncap and other modes can be easily addressed by adding a validation to the two options, anyway tunnelType is an option specific to encap mode too.

    点赞 评论 复制链接分享
  • weixin_39683598 weixin_39683598 4月前

    Just personal feeling, the supported values are not very symmetric, I mean ipsecEncap, thinking whether to encrypt is in not the same dimension as encap, noEncap, hybrid, passthrough (and technically hybrid could enable IPSec too?).

    You must be right. I could only argue "passthrough" is different from other modes too. Then do we need a separate flag for it too? Anyway, I do not have a strong opinion on this, but just like to learn what you guys think. and -orlando: your thoughts?

    点赞 评论 复制链接分享
  • weixin_39761558 weixin_39761558 4月前

    After thinking about this, I feel the same way as Quan. I think we should keep "ipsec enable" as a separate dimension and validate option consistency in our code.

    点赞 评论 复制链接分享
  • weixin_39761558 weixin_39761558 4月前

    sorry for late reply.

    two separate knobs make sense to me - Encap - IPSecEnable

    点赞 评论 复制链接分享
  • weixin_39683598 weixin_39683598 4月前

    Ok. I will drop this PR then. Also let me know if you prefer another name for the option to enable IPSec - it is now "enableIPSecTunnel".

    点赞 评论 复制链接分享
  • weixin_39761558 weixin_39761558 4月前

    The name is fine as far as I'm concerned, since IPsec can only be enabled for tunnels created by Antrea.

    点赞 评论 复制链接分享