Loading...

XML

Word

Printable

Type: Story
Resolution: Unresolved
Priority: Normal
Fix Version/s: rhel-9.5
Affects Version/s: None
Component/s: NetworkManager-libreswan
Labels:

Epic Link:
NMT-1025
Keywords:

ZStream

Pool Team:

sst_network_management
Sub-System Group:

ssg_networking

Internal Target Milestone:
10
Story Points:
3
Target Version:

rhel-9.5
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
Yes
Sprint:
NMT - RHEL-9.5 DTM 8
Release Blocker:
Approved Blocker
Target Backport Versions:

rhel-9.2.0.z

Acceptance Criteria:
Hide

User story:

As an OpenShift administrator,

I want to securely connect my OpenShift cluster to a Single Node OpenShift (SNO) instance using nmstate to configure IPSec connections with certificate-based authentication,

So that I can ensure secure communication channels between my cluster and SNO, leveraging mutual TLS for authentication.

Acceptance criteria:

Given a system with NetworkManager-libreswan installed,

When a network administrator configures an IPSec connection specifying both leftcert and rightcert parameters for certificate-based authentication,

Then NetworkManager-libreswan should successfully recognize and apply the rightcert parameter.

Definition of Done:

The implementation meets the acceptance criteria

Unit test and integration test are written and pass

The code is part of a downstream build attached to an errata

The code is backported into RHEL-9.2

The release note text is filled

AC and QE test alignment:
The CI test added in https://gitlab.freedesktop.org/NetworkManager/NetworkManager-ci/-/merge_requests/1674 aligns well with the acceptance criteria provided above as it includes the setup and configuration steps (Imports the server certificate into local database, adds VPN connection with `leftcert` and `rightcert` and brings up the connection and verifies the connection state and associated routes.
Show
User story: As an OpenShift administrator, I want to securely connect my OpenShift cluster to a Single Node OpenShift (SNO) instance using nmstate to configure IPSec connections with certificate-based authentication, So that I can ensure secure communication channels between my cluster and SNO, leveraging mutual TLS for authentication. Acceptance criteria: Given a system with NetworkManager-libreswan installed, When a network administrator configures an IPSec connection specifying both leftcert and rightcert parameters for certificate-based authentication, Then NetworkManager-libreswan should successfully recognize and apply the rightcert parameter. Definition of Done: The implementation meets the acceptance criteria Unit test and integration test are written and pass The code is part of a downstream build attached to an errata The code is backported into RHEL-9.2 The release note text is filled AC and QE test alignment : The CI test added in https://gitlab.freedesktop.org/NetworkManager/NetworkManager-ci/-/merge_requests/1674 aligns well with the acceptance criteria provided above as it includes the setup and configuration steps (Imports the server certificate into local database, adds VPN connection with `leftcert` and `rightcert` and brings up the connection and verifies the connection state and associated routes.
Git Pull Request:
https://gitlab.gnome.org/GNOME/NetworkManager-libreswan/-/merge_requests/31
Preliminary Testing:
Pass
Test Link:
https://gitlab.freedesktop.org/NetworkManager/NetworkManager-ci/-/merge_requests/1674
Errata Link:
https://errata.engineering.redhat.com/advisory/130888

Release Note Type:
Enhancement
Release Note Text:

Hide
Feature, enhancement (describe the feature or enhancement from the user’s point of view):
Reason (why has the feature or enhancement been implemented):
Result (what is the current user experience):

Show
Feature, enhancement (describe the feature or enhancement from the user’s point of view): Reason (why has the feature or enhancement been implemented): Result (what is the current user experience):
Release Note Status:
Proposed

Experience:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

While configuring IPSec connections through nmstate for secure communication between hosts, it became evident that a key feature, certificate-based authentication using rightcert, is unsupported. This limitation is due to the lack of rightcert parameter support in the NetworkManager-libreswan plugin. Therefore, this ticket will track the implementation of this parameter.

relates to

RHEL-28898 RFE: nmstate support libreswan configurations with leftcert&rightcert

Integration

links to

RHBA-2024:130888 NetworkManager-libreswan bug fix and enhancement update

Test Requirement (KNET-296102)

Assignee:: Inigo Huguet

Reporter:: Stanislas Faye

Developer:: Network Management Team

QA Contact:: Vladimir Benes

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2024/03/26 8:16 AM

Updated:: 2024/05/31 9:20 AM

Target end:: 2024/05/06

Details

Description

Attachments

Issue Links

Activity

People

Dates