Handle IPSec network encryption
Whether to enable IPSec network encryption using
SecureOverlay in Kubernetes
Related-Bug: PRODX-21133
Change-Id: I904da6190bd337de0b2f9e04e93848696da83f9d
diff --git a/de/heat-templates/fragments/SrvInstancesVM.yaml b/de/heat-templates/fragments/SrvInstancesVM.yaml
index 93372b0..d3e0427 100644
--- a/de/heat-templates/fragments/SrvInstancesVM.yaml
+++ b/de/heat-templates/fragments/SrvInstancesVM.yaml
@@ -73,6 +73,8 @@
availability_zone:
type: string
default: nova
+ secure_overlay_enabled:
+ type: boolean
resources:
@@ -100,6 +102,7 @@
$docker_ucp_swarm_data_port: { get_param: docker_ucp_swarm_data_port }
$docker_default_address_pool: { get_param: docker_default_address_pool }
$single_node: { get_param: single_node }
+ $secure_overlay_enabled: { get_param: secure_overlay_enabled }
inject_files:
type: "OS::Heat::CloudConfig"
diff --git a/de/heat-templates/scripts/instance_boot.sh b/de/heat-templates/scripts/instance_boot.sh
index c83b93e..7e5d4c9 100644
--- a/de/heat-templates/scripts/instance_boot.sh
+++ b/de/heat-templates/scripts/instance_boot.sh
@@ -61,6 +61,7 @@
DOCKER_DEFAULT_ADDRESS_POOL=${DOCKER_DEFAULT_ADDRESS_POOL:-$docker_default_address_pool}
LVM_LOOP_DEVICE_SIZE=${LVM_LOOP_DEVICE_SIZE:-$lvm_loop_device_size}
CINDER_LVM_LOOP_DEVICE_SIZE=${CINDER_LVM_LOOP_DEVICE_SIZE:-$cinder_lvm_loop_device_size}
+SECURE_OVERLAY_ENABLED=${SECURE_OVERLAY_ENABLED:-$secure_overlay_enabled}
#
# End of block
#
@@ -455,6 +456,10 @@
if [[ "${SINGLE_NODE}" == true ]]; then
max_pods="kubelet_max_pods = 220"
fi
+ if [[ "${SECURE_OVERLAY_ENABLED,,}" == true ]]; then
+ secure_overlay="secure_overlay = true
+ calico_vxlan = false"
+ fi
if docker config ls | grep com.docker.ucp.config ; then
echo "Config com.docker.ucp.config already exists"
else
@@ -465,6 +470,7 @@
[cluster_config]
dns = [\"172.18.208.44\"]
${max_pods}
+ ${secure_overlay}
" | docker config create com.docker.ucp.config -
fi
}
diff --git a/de/heat-templates/top.yaml b/de/heat-templates/top.yaml
index 68a725a..6191c08 100644
--- a/de/heat-templates/top.yaml
+++ b/de/heat-templates/top.yaml
@@ -338,6 +338,9 @@
availability_zone:
type: string
default: nova
+ secure_overlay_enabled:
+ type: boolean
+ default: false
conditions:
aio_deploy:
@@ -435,6 +438,7 @@
hardware_metadata: { get_param: hardware_metadata}
single_node: { get_param: single_node}
availability_zone: { get_param: availability_zone }
+ secure_overlay_enabled: { get_param: secure_overlay_enabled }
masters:
type: OS::Heat::ResourceGroup