Revert "Configure narrowing=yes for IPsec connections"

This reverts commit e0bfa7e.
openshift · Dec 19, 2024 · 3c4cbbd · 3c4cbbd
1 parent 7f7957a
commit 3c4cbbd
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 15 deletions.
diff --git a/bindata/network/ovn-kubernetes/common/ipsec-host.yaml b/bindata/network/ovn-kubernetes/common/ipsec-host.yaml
@@ -241,22 +241,7 @@ spec:
             sed -i "/${defaultcpinclude}/s/^/# /" /etc/ipsec.conf
           fi
 
-          # Use /etc/ipsec.d/cno.conf file to write our own default IPsec connection parameters.
-          # The /etc/ipsec.d/openshift.conf file can not be used because it is managed by openvswitch.
-          touch /etc/ipsec.d/cno.conf
-          if ! grep -q "narrowing=yes" /etc/ipsec.d/cno.conf; then
-          cat <<EOF > /etc/ipsec.d/cno.conf
-          # Default IPsec connection parameters rendered by network operator.
-          # The narrowing=yes is needed to narrow down the proposals exchanged
-          # by two peers to a mutually acceptable set, otherwise it sometimes
-          # have traffic hit between peer nodes.
-          conn %default
-              narrowing=yes
-          EOF
-          fi
-
           # since pluto is on the host, we need to restart it after changing connection
-          # parameters.
           chroot /proc/1/root ipsec restart
 
           counter=0

diff --git a/bindata/network/ovn-kubernetes/common/ipsec-post-start.sh b/bindata/network/ovn-kubernetes/common/ipsec-post-start.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+timeout=120
+elapsed=0
+desiredconn=""
+establishedsa=""
+
+if [ ! -e "/etc/ipsec.d/openshift.conf" ]; then
+  exit 0
+fi
+
+while [[ $elapsed -lt $timeout ]]; do
+  desiredconn=$(grep -E '^\s*conn\s+' /etc/ipsec.d/openshift.conf | grep -v '%default' | awk '{print $2}' | tr ' ' '\n' | sort | tr '\n' ' ')
+  establishedsa=$(ipsec showstates | grep STATE_V2_ESTABLISHED_CHILD_SA | grep -o '"[^"]*"' | sed 's/"//g' | tr ' ' '\n' | sort | uniq | tr '\n' ' ')
+  if [ "$desiredconn" == "$establishedsa" ]; then
+    echo "IPsec SAs are established for desired connections"
+    break
+  else
+    echo "IPsec SAs are not established yet, waiting"
+    sleep 2s
+    fi
+  elapsed=$((elapsed + 2))
+done
+
+if [[ $elapsed -ge $timeout ]]; then
+    echo "Timed out waiting, some connections are not established, desired conns $desiredconn, established conns $establishedsa"
+fi