You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: admin_guide/ipsec.adoc
+23-2Lines changed: 23 additions & 2 deletions
Original file line number
Diff line number
Diff line change
@@ -52,6 +52,16 @@ IPSec requires 62 bytes. If the cluster is operating on an ethernet network with
52
52
an MTU of 1500 then the SDN MTU should be 1388, to allow for the overhead of
53
53
IPSec and the SDN encapsulation.
54
54
55
+
After modifying the MTU in the {product-title} configuration, the SDN must be
56
+
made aware of the change by removing the SDN interface and restarting the
57
+
{product-title} node process.
58
+
+
59
+
----
60
+
# systemctl stop atomic-openshift-node
61
+
# ovs-vsctl del-br br0
62
+
# systemctl start atomic-openshift-node
63
+
----
64
+
55
65
[[admin-guide-ipsec-certificates]]
56
66
=== Step 2: Certificates
57
67
By default, {product-title} secures cluster management communication with
@@ -184,6 +194,17 @@ configuration of every other node in the cluster. Using a configuration
184
194
management tool such as Ansible to generate this file on each host is
185
195
recommended.
186
196
197
+
. This configuration also requires the full certificate subject of each node to
198
+
be placed into the configuration for every other node. To read this subject from
199
+
the node's certificate, use *openssl*:
200
+
+
201
+
----
202
+
# openssl x509 \
203
+
-in /path/to/client-certificate -text | \
204
+
grep "Subject:" | \
205
+
sed 's/[[:blank:]]*Subject: //'
206
+
----
207
+
187
208
. Place the following lines into the *_/etc/ipsec.d/openshift-cluster.conf_* file on each node for every other node in the cluster:
188
209
+
189
210
====
@@ -194,15 +215,15 @@ conn <other_node_hostname>
194
215
leftrsasigkey=%cert
195
216
leftcert=<this_node_cert_nickname> <2>
196
217
right=<other_node_ip> <3>
197
-
rightid="CN=<other_node_cert_nickname>" <4>
218
+
rightid="<other_node_cert_full_subject>" <4>
198
219
rightrsasigkey=%cert
199
220
auto=start
200
221
keyingtries=%forever
201
222
----
202
223
<1> Replace <this_node_ip> with the cluster IP address of this node.
203
224
<2> Replace <this_node_cert_nickname> with the node certificate nickname from step one.
204
225
<3> Replace <other_node_ip> with the cluster IP address of the other node.
205
-
<4> Replace <other_node_cert_nickname> with the other node certificate nickname from step one.
226
+
<4> Replace <other_node_cert_full_subject> with the other node's certificate subject from just above. For example: "O=system:nodes,CN=openshift-node-45.example.com".
206
227
====
207
228
208
229
. Place the following in the *_/etc/ipsec.d/openshift-cluster.secrets_* file on each node:
0 commit comments