Add ipsec package to image release 1.11 (#2618)

* support ipsec

Author: changluyi

dist/images/Dockerfile.base

@@ -72,15 +72,16 @@ RUN mkdir /packages/ && \
      cp /usr/src/openvswitch-*.deb /packages && \
      cp /usr/src/python3-openvswitch*.deb /packages && \
      cp /usr/src/ovn-*.deb /packages && \
-     cd /packages && rm -f *dbg* *datapath* *docker* *vtep* *ipsec* *test* *dev*
+     cd /packages && rm -f *dbg* *datapath* *docker* *vtep* *test* *dev*
 
 FROM ubuntu:22.04
 
 ARG DEBIAN_FRONTEND=noninteractive
 RUN apt update && apt upgrade -y && apt install ca-certificates python3 hostname libunwind8 netbase \
         ethtool iproute2 ncat libunbound-dev procps libatomic1 kmod iptables \
         tcpdump ipset curl uuid-runtime openssl inetutils-ping arping ndisc6 \
-        logrotate dnsutils net-tools -y --no-install-recommends && \
+        logrotate dnsutils net-tools strongswan strongswan-pki libcharon-extra-plugins \
+        libcharon-extauth-plugins libstrongswan-extra-plugins libstrongswan-standard-plugins -y --no-install-recommends && \
         rm -rf /var/lib/apt/lists/* && \
         cd /usr/sbin && \
         ln -sf /usr/sbin/iptables-legacy iptables && \
@@ -103,8 +104,8 @@ RUN curl -L https://dl.k8s.io/${KUBE_VERSION}/kubernetes-client-linux-${ARCH}.ta
 
 RUN --mount=type=bind,target=/packages,from=ovs-builder,source=/packages  \
     dpkg -i /packages/libopenvswitch*.deb && \
-    dpkg -i /packages/openvswitch-*.deb && \
     dpkg -i /packages/python3-openvswitch*.deb && \
+    dpkg -i /packages/openvswitch-*.deb && \
     dpkg -i --ignore-depends=openvswitch-switch,openvswitch-common /packages/ovn-*.deb && \
     mv /usr/lib/python3.7/dist-packages/ovs /usr/lib/python3/dist-packages/ && \
     rm -rf /var/lib/openvswitch/pki/

dist/images/ipsec.sh

@@ -0,0 +1,106 @@
+#!/bin/bash
+set -euo pipefail
+
+OVN_NB_POD=
+
+showHelp(){
+  echo "sh ipsec.sh [init|start|stop|status]"
+}
+
+getOvnCentralPod(){
+    NB_POD=$(kubectl get pod -n kube-system -l ovn-nb-leader=true | grep ovn-central | head -n 1 | awk '{print $1}')
+    if [ -z "$NB_POD" ]; then
+      echo "nb leader not exists"
+      exit 1
+    fi
+    OVN_NB_POD=$NB_POD
+}
+
+initIpsec (){
+  podNames=`kubectl get pod -n kube-system -l app=ovs -o 'jsonpath={.items[*].metadata.name}'`
+  for pod in $podNames; do
+    caPod=$pod
+    break
+  done
+
+  echo " Initing CA $caPod "
+  kubectl exec -it $caPod -n kube-system -- ovs-pki init --force > /dev/null
+
+  for pod in $podNames; do
+    echo " Initing privkey,req,cert file on pod $pod "
+    systemId=$(kubectl exec -it ${pod} -n kube-system -- ovs-vsctl get Open_vSwitch . external_ids:system-id | tr -d '"' | tr -d '\r')
+
+    kubectl exec -it $pod -n kube-system -- ovs-pki req -u $systemId --force > /dev/null
+    kubectl exec -it $pod -n kube-system -- mv "${systemId}-privkey.pem" /etc/ipsec.d/private/
+    kubectl exec -it $pod -n kube-system -- mv "${systemId}-req.pem" /etc/ipsec.d/reqs/
+
+    if [[ $pod == $caPod ]]; then
+       kubectl exec -it $pod -n kube-system -- rm -f "/etc/ipsec.d/reqs/${systemId}-cert.pem" > /dev/null
+       kubectl exec -it $pod -n kube-system -- ovs-pki sign -b "/etc/ipsec.d/reqs/${systemId}" switch > /dev/null
+       kubectl exec -it $pod -n kube-system -- mv "/etc/ipsec.d/reqs/${systemId}-cert.pem" /etc/ipsec.d/certs/
+       kubectl exec -it $pod -n kube-system -- cp /var/lib/openvswitch/pki/switchca/cacert.pem /etc/ipsec.d/cacerts/ > /dev/null
+    else
+       kubectl cp "${pod}:/etc/ipsec.d/reqs/${systemId}-req.pem" "${systemId}-req.pem" -n kube-system > /dev/null
+       kubectl cp "${systemId}-req.pem" "${caPod}:/kube-ovn/" -n kube-system > /dev/null
+       # ovs-pki sign do not have options --force so rm cert first
+       kubectl exec -it $caPod -n kube-system -- rm -f "/kube-ovn/${systemId}-cert.pem"
+       kubectl exec -it $caPod -n kube-system -- ovs-pki sign -b ${systemId} switch > /dev/null
+       kubectl cp "${caPod}:/kube-ovn/${systemId}-cert.pem" "${systemId}-cert.pem" -n kube-system > /dev/null
+       kubectl cp "${systemId}-cert.pem" "${pod}:/etc/ipsec.d/certs/" -n kube-system > /dev/null
+
+       kubectl cp "${caPod}:/var/lib/openvswitch/pki/switchca/cacert.pem" cacert.pem -n kube-system > /dev/null
+       kubectl cp cacert.pem "${pod}:/etc/ipsec.d/cacerts/" -n kube-system > /dev/null
+
+       # clean temp files
+       kubectl exec -it $caPod -n kube-system -- rm -f "/kube-ovn/${systemId}-req.pem"
+       kubectl exec -it $caPod -n kube-system -- rm -f "/kube-ovn/${systemId}-cert.pem"
+       rm -f ${systemId}-req.pem
+       rm -f ${systemId}-cert.pem
+       rm -f cacert.pem
+    fi
+
+    kubectl exec -it $pod -n kube-system -- ovs-vsctl set Open_vSwitch . \
+          other_config:certificate=/etc/ipsec.d/certs/"${systemId}-cert.pem" \
+          other_config:private_key=/etc/ipsec.d/private/"${systemId}-privkey.pem" \
+          other_config:ca_cert=/etc/ipsec.d/cacerts/cacert.pem
+  done
+
+  echo " Enabling ovn ipsec "
+  kubectl ko nbctl set nb_global . ipsec=true
+
+  for pod in $podNames; do
+      echo " Starting pod ${pod} ipsec service"
+      kubectl exec -it -n kube-system $pod -- service openvswitch-ipsec restart > /dev/null
+      kubectl exec -it -n kube-system $pod -- service ipsec restart > /dev/null
+  done
+
+  echo " Kube-OVN ipsec init successfully, it may take a few seconds to setup ipsec completely "
+}
+
+getOvnCentralPod
+subcommand="$1"; shift
+
+case $subcommand in
+  init)
+    initIpsec
+    ;;
+  start)
+    kubectl exec "$OVN_NB_POD" -n kube-system -c ovn-central -- ovn-nbctl set nb_global . ipsec=true
+    echo " Kube-OVN ipsec started "
+    ;;
+  stop)
+    kubectl exec "$OVN_NB_POD" -n kube-system -c ovn-central -- ovn-nbctl set nb_global . ipsec=false
+    echo " Kube-OVN ipsec stopped "
+    ;;
+  status)
+    podNames=`kubectl get pod -n kube-system -l app=ovs -o 'jsonpath={.items[*].metadata.name}'`
+    for pod in $podNames; do
+      echo " Pod {$pod} ipsec status..."
+      kubectl exec -it $pod -n kube-system -- ovs-appctl -t ovs-monitor-ipsec tunnels/show
+    done
+    ;;
+  *)
+    showHelp
+    exit 1
+    ;;
+esac