From a6c893c56a46fe87b104bcb6f97b6127396b709a Mon Sep 17 00:00:00 2001 From: chengzw <40051120+cr7258@users.noreply.github.com> Date: Thu, 24 Aug 2023 14:48:43 +0800 Subject: [PATCH] Add IPsecCertAuth in the docs (#5433) Signed-off-by: chengzw --- build/charts/antrea/conf/antrea-agent.conf | 2 +- build/charts/antrea/conf/antrea-controller.conf | 2 +- build/yamls/antrea-aks.yml | 8 ++++---- build/yamls/antrea-eks.yml | 8 ++++---- build/yamls/antrea-gke.yml | 8 ++++---- build/yamls/antrea-ipsec.yml | 8 ++++---- build/yamls/antrea.yml | 8 ++++---- docs/feature-gates.md | 5 +++++ pkg/features/antrea_features.go | 2 +- 9 files changed, 28 insertions(+), 23 deletions(-) diff --git a/build/charts/antrea/conf/antrea-agent.conf b/build/charts/antrea/conf/antrea-agent.conf index 515680e88dd..6790822c672 100644 --- a/build/charts/antrea/conf/antrea-agent.conf +++ b/build/charts/antrea/conf/antrea-agent.conf @@ -67,7 +67,7 @@ featureGates: # Enable mirroring or redirecting the traffic Pods send or receive. {{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "TrafficControl" "default" false) }} -# Enable certificated-based authentication for IPsec. +# Enable certificate-based authentication for IPSec tunnel. {{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "IPsecCertAuth" "default" false) }} # Enable collecting support bundle files with SupportBundleCollection CRD. diff --git a/build/charts/antrea/conf/antrea-controller.conf b/build/charts/antrea/conf/antrea-controller.conf index a96e487cec5..7a66e0afcb9 100644 --- a/build/charts/antrea/conf/antrea-controller.conf +++ b/build/charts/antrea/conf/antrea-controller.conf @@ -34,7 +34,7 @@ featureGates: # Enable managing external IPs of Services of LoadBalancer type. {{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "ServiceExternalIP" "default" false) }} -# Enable certificated-based authentication for IPsec. +# Enable certificate-based authentication for IPSec tunnel. {{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "IPsecCertAuth" "default" false) }} # Enable managing ExternalNode for unmanaged VM/BM. diff --git a/build/yamls/antrea-aks.yml b/build/yamls/antrea-aks.yml index 271e38cab6f..ad6d8f6fb56 100644 --- a/build/yamls/antrea-aks.yml +++ b/build/yamls/antrea-aks.yml @@ -5522,7 +5522,7 @@ data: # Enable mirroring or redirecting the traffic Pods send or receive. # TrafficControl: false - # Enable certificated-based authentication for IPsec. + # Enable certificate-based authentication for IPSec tunnel. # IPsecCertAuth: false # Enable collecting support bundle files with SupportBundleCollection CRD. @@ -5896,7 +5896,7 @@ data: # Enable managing external IPs of Services of LoadBalancer type. # ServiceExternalIP: false - # Enable certificated-based authentication for IPsec. + # Enable certificate-based authentication for IPSec tunnel. # IPsecCertAuth: false # Enable managing ExternalNode for unmanaged VM/BM. @@ -6819,7 +6819,7 @@ spec: kubectl.kubernetes.io/default-container: antrea-agent # Automatically restart Pods with a RollingUpdate if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: a3168b9ac447a8852280ded74b420b5afa9cc2f6fca169e3e2da6e44b9e96428 + checksum/config: 3f29ab6bd7105c6a6b30dafad282ac88a606e7aefe5914b7787aeeaafa7b4f8d labels: app: antrea component: antrea-agent @@ -7060,7 +7060,7 @@ spec: annotations: # Automatically restart Pod if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: a3168b9ac447a8852280ded74b420b5afa9cc2f6fca169e3e2da6e44b9e96428 + checksum/config: 3f29ab6bd7105c6a6b30dafad282ac88a606e7aefe5914b7787aeeaafa7b4f8d labels: app: antrea component: antrea-controller diff --git a/build/yamls/antrea-eks.yml b/build/yamls/antrea-eks.yml index 0e0754824b8..b1bfdc60b67 100644 --- a/build/yamls/antrea-eks.yml +++ b/build/yamls/antrea-eks.yml @@ -5522,7 +5522,7 @@ data: # Enable mirroring or redirecting the traffic Pods send or receive. # TrafficControl: false - # Enable certificated-based authentication for IPsec. + # Enable certificate-based authentication for IPSec tunnel. # IPsecCertAuth: false # Enable collecting support bundle files with SupportBundleCollection CRD. @@ -5896,7 +5896,7 @@ data: # Enable managing external IPs of Services of LoadBalancer type. # ServiceExternalIP: false - # Enable certificated-based authentication for IPsec. + # Enable certificate-based authentication for IPSec tunnel. # IPsecCertAuth: false # Enable managing ExternalNode for unmanaged VM/BM. @@ -6819,7 +6819,7 @@ spec: kubectl.kubernetes.io/default-container: antrea-agent # Automatically restart Pods with a RollingUpdate if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: a3168b9ac447a8852280ded74b420b5afa9cc2f6fca169e3e2da6e44b9e96428 + checksum/config: 3f29ab6bd7105c6a6b30dafad282ac88a606e7aefe5914b7787aeeaafa7b4f8d labels: app: antrea component: antrea-agent @@ -7061,7 +7061,7 @@ spec: annotations: # Automatically restart Pod if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: a3168b9ac447a8852280ded74b420b5afa9cc2f6fca169e3e2da6e44b9e96428 + checksum/config: 3f29ab6bd7105c6a6b30dafad282ac88a606e7aefe5914b7787aeeaafa7b4f8d labels: app: antrea component: antrea-controller diff --git a/build/yamls/antrea-gke.yml b/build/yamls/antrea-gke.yml index e8b25e75cf8..0efa7a61c61 100644 --- a/build/yamls/antrea-gke.yml +++ b/build/yamls/antrea-gke.yml @@ -5522,7 +5522,7 @@ data: # Enable mirroring or redirecting the traffic Pods send or receive. # TrafficControl: false - # Enable certificated-based authentication for IPsec. + # Enable certificate-based authentication for IPSec tunnel. # IPsecCertAuth: false # Enable collecting support bundle files with SupportBundleCollection CRD. @@ -5896,7 +5896,7 @@ data: # Enable managing external IPs of Services of LoadBalancer type. # ServiceExternalIP: false - # Enable certificated-based authentication for IPsec. + # Enable certificate-based authentication for IPSec tunnel. # IPsecCertAuth: false # Enable managing ExternalNode for unmanaged VM/BM. @@ -6819,7 +6819,7 @@ spec: kubectl.kubernetes.io/default-container: antrea-agent # Automatically restart Pods with a RollingUpdate if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: 1be8ab6f39c7b1d3742d49f9614a5fae317932ce2cc7b2473cc12a920f13641d + checksum/config: f72133ab696861e8ad657749229d1449f856a7b84fb37c933db72debf8c57a30 labels: app: antrea component: antrea-agent @@ -7058,7 +7058,7 @@ spec: annotations: # Automatically restart Pod if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: 1be8ab6f39c7b1d3742d49f9614a5fae317932ce2cc7b2473cc12a920f13641d + checksum/config: f72133ab696861e8ad657749229d1449f856a7b84fb37c933db72debf8c57a30 labels: app: antrea component: antrea-controller diff --git a/build/yamls/antrea-ipsec.yml b/build/yamls/antrea-ipsec.yml index a15be30fcce..8c2670efa95 100644 --- a/build/yamls/antrea-ipsec.yml +++ b/build/yamls/antrea-ipsec.yml @@ -5535,7 +5535,7 @@ data: # Enable mirroring or redirecting the traffic Pods send or receive. # TrafficControl: false - # Enable certificated-based authentication for IPsec. + # Enable certificate-based authentication for IPSec tunnel. # IPsecCertAuth: false # Enable collecting support bundle files with SupportBundleCollection CRD. @@ -5909,7 +5909,7 @@ data: # Enable managing external IPs of Services of LoadBalancer type. # ServiceExternalIP: false - # Enable certificated-based authentication for IPsec. + # Enable certificate-based authentication for IPSec tunnel. # IPsecCertAuth: false # Enable managing ExternalNode for unmanaged VM/BM. @@ -6832,7 +6832,7 @@ spec: kubectl.kubernetes.io/default-container: antrea-agent # Automatically restart Pods with a RollingUpdate if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: 9d2ce5aebdb9b1a668615a90578317745bafc6052b7c29431fd009a0ba65d62a + checksum/config: 62fe59882b960435e6de67c414b3ea71463d9c1eb97a024a69dd0aa6e506deff checksum/ipsec-secret: d0eb9c52d0cd4311b6d252a951126bf9bea27ec05590bed8a394f0f792dcb2a4 labels: app: antrea @@ -7117,7 +7117,7 @@ spec: annotations: # Automatically restart Pod if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: 9d2ce5aebdb9b1a668615a90578317745bafc6052b7c29431fd009a0ba65d62a + checksum/config: 62fe59882b960435e6de67c414b3ea71463d9c1eb97a024a69dd0aa6e506deff labels: app: antrea component: antrea-controller diff --git a/build/yamls/antrea.yml b/build/yamls/antrea.yml index f3743b1c734..42611ddb053 100644 --- a/build/yamls/antrea.yml +++ b/build/yamls/antrea.yml @@ -5522,7 +5522,7 @@ data: # Enable mirroring or redirecting the traffic Pods send or receive. # TrafficControl: false - # Enable certificated-based authentication for IPsec. + # Enable certificate-based authentication for IPSec tunnel. # IPsecCertAuth: false # Enable collecting support bundle files with SupportBundleCollection CRD. @@ -5896,7 +5896,7 @@ data: # Enable managing external IPs of Services of LoadBalancer type. # ServiceExternalIP: false - # Enable certificated-based authentication for IPsec. + # Enable certificate-based authentication for IPSec tunnel. # IPsecCertAuth: false # Enable managing ExternalNode for unmanaged VM/BM. @@ -6819,7 +6819,7 @@ spec: kubectl.kubernetes.io/default-container: antrea-agent # Automatically restart Pods with a RollingUpdate if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: cc9b64c3b915bfd5a500d76f39a5b650f86819e144dbccea5019b4ecd4192292 + checksum/config: 0916c9bded20cacbfe338c02c0128325d00b246fabb96488a95baa2a54ad7616 labels: app: antrea component: antrea-agent @@ -7058,7 +7058,7 @@ spec: annotations: # Automatically restart Pod if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: cc9b64c3b915bfd5a500d76f39a5b650f86819e144dbccea5019b4ecd4192292 + checksum/config: 0916c9bded20cacbfe338c02c0128325d00b246fabb96488a95baa2a54ad7616 labels: app: antrea component: antrea-controller diff --git a/docs/feature-gates.md b/docs/feature-gates.md index deea6efc088..dcd813ce9ef 100644 --- a/docs/feature-gates.md +++ b/docs/feature-gates.md @@ -52,6 +52,7 @@ edit the Agent configuration in the | `ServiceExternalIP` | Agent + Controller | `false` | Alpha | v1.5 | N/A | N/A | Yes | | | `TrafficControl` | Agent | `false` | Alpha | v1.7 | N/A | N/A | No | | | `Multicluster` | Agent + Controller | `false` | Alpha | v1.7 | N/A | N/A | Yes | Controller side feature gate added in v1.10.0 | +| `IPsecCertAuth` | Agent + Controller | `false` | Alpha | v1.7 | N/A | N/A | No | | | `ExternalNode` | Agent | `false` | Alpha | v1.8 | N/A | N/A | Yes | | | `SupportBundleCollection` | Agent + Controller | `false` | Alpha | v1.10 | N/A | N/A | Yes | | | `L7NetworkPolicy` | Agent + Controller | `false` | Alpha | v1.10 | N/A | N/A | Yes | | @@ -356,6 +357,10 @@ Antrea Multi-cluster Controller must be deployed and the cluster must join a Mul Antrea Multi-cluster features. Refer to [Antrea Multi-cluster user guide](multicluster/user-guide.md) for more information about Multi-cluster configuration. At the moment, Antrea Multi-cluster supports only IPv4. +### IPsecCertAuth + +This feature enables certificate-based authentication for IPSec tunnel. + ### ExternalNode The `ExternalNode` feature enables Antrea Agent runs on a virtual machine or a bare-metal server which is not a diff --git a/pkg/features/antrea_features.go b/pkg/features/antrea_features.go index 1426bd0a4c3..056b50f5db4 100644 --- a/pkg/features/antrea_features.go +++ b/pkg/features/antrea_features.go @@ -114,7 +114,7 @@ const ( TrafficControl featuregate.Feature = "TrafficControl" // alpha: v1.7 - // Enable certificated-based authentication for IPsec. + // Enable certificate-based authentication for IPSec tunnel. IPsecCertAuth featuregate.Feature = "IPsecCertAuth" // alpha: v1.8