Add IPsecCertAuth in the docs (#5433)

Signed-off-by: chengzw <[email protected]>

build/charts/antrea/conf/antrea-agent.conf

@@ -67,7 +67,7 @@ featureGates:
 # Enable mirroring or redirecting the traffic Pods send or receive.
 {{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "TrafficControl" "default" false) }}
 
-# Enable certificated-based authentication for IPsec.
+# Enable certificate-based authentication for IPSec tunnel.
 {{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "IPsecCertAuth" "default" false) }}
 
 # Enable collecting support bundle files with SupportBundleCollection CRD.

build/charts/antrea/conf/antrea-controller.conf

@@ -34,7 +34,7 @@ featureGates:
 # Enable managing external IPs of Services of LoadBalancer type.
 {{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "ServiceExternalIP" "default" false) }}
 
-# Enable certificated-based authentication for IPsec.
+# Enable certificate-based authentication for IPSec tunnel.
 {{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "IPsecCertAuth" "default" false) }}
 
 # Enable managing ExternalNode for unmanaged VM/BM.

build/yamls/antrea-aks.yml

@@ -5522,7 +5522,7 @@ data:
     # Enable mirroring or redirecting the traffic Pods send or receive.
     #  TrafficControl: false
 
-    # Enable certificated-based authentication for IPsec.
+    # Enable certificate-based authentication for IPSec tunnel.
     #  IPsecCertAuth: false
 
     # Enable collecting support bundle files with SupportBundleCollection CRD.
@@ -5896,7 +5896,7 @@ data:
     # Enable managing external IPs of Services of LoadBalancer type.
     #  ServiceExternalIP: false
 
-    # Enable certificated-based authentication for IPsec.
+    # Enable certificate-based authentication for IPSec tunnel.
     #  IPsecCertAuth: false
 
     # Enable managing ExternalNode for unmanaged VM/BM.
@@ -6819,7 +6819,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: a3168b9ac447a8852280ded74b420b5afa9cc2f6fca169e3e2da6e44b9e96428
+        checksum/config: 3f29ab6bd7105c6a6b30dafad282ac88a606e7aefe5914b7787aeeaafa7b4f8d
       labels:
         app: antrea
         component: antrea-agent
@@ -7060,7 +7060,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: a3168b9ac447a8852280ded74b420b5afa9cc2f6fca169e3e2da6e44b9e96428
+        checksum/config: 3f29ab6bd7105c6a6b30dafad282ac88a606e7aefe5914b7787aeeaafa7b4f8d
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-eks.yml

@@ -5522,7 +5522,7 @@ data:
     # Enable mirroring or redirecting the traffic Pods send or receive.
     #  TrafficControl: false
 
-    # Enable certificated-based authentication for IPsec.
+    # Enable certificate-based authentication for IPSec tunnel.
     #  IPsecCertAuth: false
 
     # Enable collecting support bundle files with SupportBundleCollection CRD.
@@ -5896,7 +5896,7 @@ data:
     # Enable managing external IPs of Services of LoadBalancer type.
     #  ServiceExternalIP: false
 
-    # Enable certificated-based authentication for IPsec.
+    # Enable certificate-based authentication for IPSec tunnel.
     #  IPsecCertAuth: false
 
     # Enable managing ExternalNode for unmanaged VM/BM.
@@ -6819,7 +6819,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: a3168b9ac447a8852280ded74b420b5afa9cc2f6fca169e3e2da6e44b9e96428
+        checksum/config: 3f29ab6bd7105c6a6b30dafad282ac88a606e7aefe5914b7787aeeaafa7b4f8d
       labels:
         app: antrea
         component: antrea-agent
@@ -7061,7 +7061,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: a3168b9ac447a8852280ded74b420b5afa9cc2f6fca169e3e2da6e44b9e96428
+        checksum/config: 3f29ab6bd7105c6a6b30dafad282ac88a606e7aefe5914b7787aeeaafa7b4f8d
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-gke.yml

@@ -5522,7 +5522,7 @@ data:
     # Enable mirroring or redirecting the traffic Pods send or receive.
     #  TrafficControl: false
 
-    # Enable certificated-based authentication for IPsec.
+    # Enable certificate-based authentication for IPSec tunnel.
     #  IPsecCertAuth: false
 
     # Enable collecting support bundle files with SupportBundleCollection CRD.
@@ -5896,7 +5896,7 @@ data:
     # Enable managing external IPs of Services of LoadBalancer type.
     #  ServiceExternalIP: false
 
-    # Enable certificated-based authentication for IPsec.
+    # Enable certificate-based authentication for IPSec tunnel.
     #  IPsecCertAuth: false
 
     # Enable managing ExternalNode for unmanaged VM/BM.
@@ -6819,7 +6819,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 1be8ab6f39c7b1d3742d49f9614a5fae317932ce2cc7b2473cc12a920f13641d
+        checksum/config: f72133ab696861e8ad657749229d1449f856a7b84fb37c933db72debf8c57a30
       labels:
         app: antrea
         component: antrea-agent
@@ -7058,7 +7058,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 1be8ab6f39c7b1d3742d49f9614a5fae317932ce2cc7b2473cc12a920f13641d
+        checksum/config: f72133ab696861e8ad657749229d1449f856a7b84fb37c933db72debf8c57a30
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-ipsec.yml

@@ -5535,7 +5535,7 @@ data:
     # Enable mirroring or redirecting the traffic Pods send or receive.
     #  TrafficControl: false
 
-    # Enable certificated-based authentication for IPsec.
+    # Enable certificate-based authentication for IPSec tunnel.
     #  IPsecCertAuth: false
 
     # Enable collecting support bundle files with SupportBundleCollection CRD.
@@ -5909,7 +5909,7 @@ data:
     # Enable managing external IPs of Services of LoadBalancer type.
     #  ServiceExternalIP: false
 
-    # Enable certificated-based authentication for IPsec.
+    # Enable certificate-based authentication for IPSec tunnel.
     #  IPsecCertAuth: false
 
     # Enable managing ExternalNode for unmanaged VM/BM.
@@ -6832,7 +6832,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 9d2ce5aebdb9b1a668615a90578317745bafc6052b7c29431fd009a0ba65d62a
+        checksum/config: 62fe59882b960435e6de67c414b3ea71463d9c1eb97a024a69dd0aa6e506deff
         checksum/ipsec-secret: d0eb9c52d0cd4311b6d252a951126bf9bea27ec05590bed8a394f0f792dcb2a4
       labels:
         app: antrea
@@ -7117,7 +7117,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 9d2ce5aebdb9b1a668615a90578317745bafc6052b7c29431fd009a0ba65d62a
+        checksum/config: 62fe59882b960435e6de67c414b3ea71463d9c1eb97a024a69dd0aa6e506deff
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea.yml

@@ -5522,7 +5522,7 @@ data:
     # Enable mirroring or redirecting the traffic Pods send or receive.
     #  TrafficControl: false
 
-    # Enable certificated-based authentication for IPsec.
+    # Enable certificate-based authentication for IPSec tunnel.
     #  IPsecCertAuth: false
 
     # Enable collecting support bundle files with SupportBundleCollection CRD.
@@ -5896,7 +5896,7 @@ data:
     # Enable managing external IPs of Services of LoadBalancer type.
     #  ServiceExternalIP: false
 
-    # Enable certificated-based authentication for IPsec.
+    # Enable certificate-based authentication for IPSec tunnel.
     #  IPsecCertAuth: false
 
     # Enable managing ExternalNode for unmanaged VM/BM.
@@ -6819,7 +6819,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: cc9b64c3b915bfd5a500d76f39a5b650f86819e144dbccea5019b4ecd4192292
+        checksum/config: 0916c9bded20cacbfe338c02c0128325d00b246fabb96488a95baa2a54ad7616
       labels:
         app: antrea
         component: antrea-agent
@@ -7058,7 +7058,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: cc9b64c3b915bfd5a500d76f39a5b650f86819e144dbccea5019b4ecd4192292
+        checksum/config: 0916c9bded20cacbfe338c02c0128325d00b246fabb96488a95baa2a54ad7616
       labels:
         app: antrea
         component: antrea-controller

docs/feature-gates.md

@@ -52,6 +52,7 @@ edit the Agent configuration in the
 | `ServiceExternalIP`           | Agent + Controller | `false` | Alpha | v1.5          | N/A          | N/A        | Yes                |                                               |
 | `TrafficControl`              | Agent              | `false` | Alpha | v1.7          | N/A          | N/A        | No                 |                                               |
 | `Multicluster`                | Agent + Controller | `false` | Alpha | v1.7          | N/A          | N/A        | Yes                | Controller side feature gate added in v1.10.0 |
+| `IPsecCertAuth`               | Agent + Controller | `false` | Alpha | v1.7          | N/A          | N/A        | No                 |                                               |
 | `ExternalNode`                | Agent              | `false` | Alpha | v1.8          | N/A          | N/A        | Yes                |                                               |
 | `SupportBundleCollection`     | Agent + Controller | `false` | Alpha | v1.10         | N/A          | N/A        | Yes                |                                               |
 | `L7NetworkPolicy`             | Agent + Controller | `false` | Alpha | v1.10         | N/A          | N/A        | Yes                |                                               |
@@ -356,6 +357,10 @@ Antrea Multi-cluster Controller must be deployed and the cluster must join a Mul
 Antrea Multi-cluster features. Refer to [Antrea Multi-cluster user guide](multicluster/user-guide.md) for more
 information about Multi-cluster configuration. At the moment, Antrea Multi-cluster supports only IPv4.
 
+### IPsecCertAuth
+
+This feature enables certificate-based authentication for IPSec tunnel.
+
 ### ExternalNode
 
 The `ExternalNode` feature enables Antrea Agent runs on a virtual machine or a bare-metal server which is not a

pkg/features/antrea_features.go

@@ -114,7 +114,7 @@ const (
 	TrafficControl featuregate.Feature = "TrafficControl"
 
 	// alpha: v1.7
-	// Enable certificated-based authentication for IPsec.
+	// Enable certificate-based authentication for IPSec tunnel.
 	IPsecCertAuth featuregate.Feature = "IPsecCertAuth"
 
 	// alpha: v1.8