From 681d5ed99e55d8661a5cc17843a390c984e169d1 Mon Sep 17 00:00:00 2001
From: Periyasamy Palanisamy <pepalani@redhat.com>
Date: Mon, 22 Jun 2026 10:16:05 +0200
Subject: [PATCH 1/2] Configure ovnkube-node and ovn-ipsec for IPsec Child SA
 metric

Signed-off-by: Periyasamy Palanisamy <pepalani@redhat.com>
---
 .../network/ovn-kubernetes/common/008-script-lib.yaml |  6 ++++++
 .../ovn-kubernetes/common/ipsec-containerized.yaml    |  6 ++++++
 .../network/ovn-kubernetes/managed/ovnkube-node.yaml  | 11 +++++++++++
 .../ovn-kubernetes/self-hosted/ovnkube-node.yaml      | 11 +++++++++++
 4 files changed, 34 insertions(+)

diff --git a/bindata/network/ovn-kubernetes/common/008-script-lib.yaml b/bindata/network/ovn-kubernetes/common/008-script-lib.yaml
index b244e6b3f8..ee60bc9429 100644
--- a/bindata/network/ovn-kubernetes/common/008-script-lib.yaml
+++ b/bindata/network/ovn-kubernetes/common/008-script-lib.yaml
@@ -688,6 +688,11 @@ data:
         enable_interconnect_flag="--enable-interconnect"
       fi
 
+      ipsec_enable_flag=
+      {{ if .OVNIPsecEnable }}
+      ipsec_enable_flag="--enable-ipsec"
+      {{ end }}
+
       exec /usr/bin/ovnkube \
         ${init_ovnkube_controller} \
         --init-node "${K8S_NODE}" \
@@ -714,6 +719,7 @@ data:
         --acl-logging-rate-limit "{{.OVNPolicyAuditRateLimit}}" \
         ${gw_interface_flag} \
         ${ip_forwarding_flag} \
+        ${ipsec_enable_flag} \
         ${ovn_advertised_udn_isolation_mode_flag} \
         ${openflow_probe_flag} \
         ${allow_icmp_network_policy_flag} \
diff --git a/bindata/network/ovn-kubernetes/common/ipsec-containerized.yaml b/bindata/network/ovn-kubernetes/common/ipsec-containerized.yaml
index 34f195e076..0b5c381aac 100644
--- a/bindata/network/ovn-kubernetes/common/ipsec-containerized.yaml
+++ b/bindata/network/ovn-kubernetes/common/ipsec-containerized.yaml
@@ -300,6 +300,8 @@ spec:
           name: host-cni-netd
         - mountPath: /var/run/openvswitch
           name: host-var-run-ovs
+        - mountPath: /var/run/pluto
+          name: host-var-run-pluto
         - mountPath: /var/log/openvswitch/
           name: host-var-log-ovs
         - mountPath: /etc/openvswitch
@@ -345,6 +347,10 @@ spec:
         hostPath:
           path: /var/run/openvswitch
           type: DirectoryOrCreate
+      - name: host-var-run-pluto
+        hostPath:
+          path: /var/run/pluto
+          type: DirectoryOrCreate
       - name: signer-ca
         configMap:
           name: signer-ca
diff --git a/bindata/network/ovn-kubernetes/managed/ovnkube-node.yaml b/bindata/network/ovn-kubernetes/managed/ovnkube-node.yaml
index f26e34709e..0ab5470cf0 100644
--- a/bindata/network/ovn-kubernetes/managed/ovnkube-node.yaml
+++ b/bindata/network/ovn-kubernetes/managed/ovnkube-node.yaml
@@ -526,6 +526,11 @@ spec:
           name: etc-openvswitch
         - mountPath: /var/lib/openvswitch
           name: var-lib-openvswitch
+{{ if .OVNIPsecEnable }}
+        - mountPath: /var/run/pluto/
+          name: host-var-run-pluto
+          readOnly: true
+{{ end }}
         - mountPath: /run/ovnkube-config/
           name: ovnkube-config
         - mountPath: /env
@@ -719,6 +724,12 @@ spec:
       - name: host-var-lib-cni-networks-ovn-kubernetes
         hostPath:
           path: /var/lib/cni/networks/ovn-k8s-cni-overlay
+{{ if .OVNIPsecEnable }}
+      - name: host-var-run-pluto
+        hostPath:
+          path: /var/run/pluto
+          type: DirectoryOrCreate
+{{ end }}
       - name: ovnkube-config
         configMap:
           name: ovnkube-config
diff --git a/bindata/network/ovn-kubernetes/self-hosted/ovnkube-node.yaml b/bindata/network/ovn-kubernetes/self-hosted/ovnkube-node.yaml
index 18f52c983c..7e68dc4131 100644
--- a/bindata/network/ovn-kubernetes/self-hosted/ovnkube-node.yaml
+++ b/bindata/network/ovn-kubernetes/self-hosted/ovnkube-node.yaml
@@ -550,6 +550,11 @@ spec:
           name: etc-openvswitch
         - mountPath: /var/lib/openvswitch
           name: var-lib-openvswitch
+{{ if .OVNIPsecEnable }}
+        - mountPath: /var/run/pluto/
+          name: host-var-run-pluto
+          readOnly: true
+{{ end }}
         - mountPath: /run/ovnkube-config/
           name: ovnkube-config
         - mountPath: /env
@@ -725,6 +730,12 @@ spec:
       - name: host-var-lib-cni-networks-ovn-kubernetes
         hostPath:
           path: /var/lib/cni/networks/ovn-k8s-cni-overlay
+{{ if .OVNIPsecEnable }}
+      - name: host-var-run-pluto
+        hostPath:
+          path: /var/run/pluto
+          type: DirectoryOrCreate
+{{ end }}
       - name: ovnkube-config
         configMap:
           name: ovnkube-config

From 4227e6c79e10e62296698b98ed7572244b6e59fa Mon Sep 17 00:00:00 2001
From: Periyasamy Palanisamy <pepalani@redhat.com>
Date: Mon, 22 Jun 2026 13:36:32 +0200
Subject: [PATCH 2/2] Remove host mount for ipsec binaries

Signed-off-by: Periyasamy Palanisamy <pepalani@redhat.com>
---
 .../network/ovn-kubernetes/common/ipsec-host.yaml    | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/bindata/network/ovn-kubernetes/common/ipsec-host.yaml b/bindata/network/ovn-kubernetes/common/ipsec-host.yaml
index 3a3e549c61..014dce1fe9 100644
--- a/bindata/network/ovn-kubernetes/common/ipsec-host.yaml
+++ b/bindata/network/ovn-kubernetes/common/ipsec-host.yaml
@@ -338,10 +338,6 @@ spec:
           name: host-var-lib
         - mountPath: /etc
           name: host-etc
-        - mountPath: /usr/sbin
-          name: usr-sbin
-        - mountPath: /usr/libexec
-          name: usr-libexec
         resources:
           requests:
             cpu: 10m
@@ -537,14 +533,6 @@ spec:
           path: /etc
           type: Directory
         name: host-etc
-      - hostPath:
-          path: /usr/sbin
-          type: Directory
-        name: usr-sbin
-      - hostPath:
-          path: /usr/libexec
-          type: Directory
-        name: usr-libexec
       tolerations:
       - operator: "Exists"
 {{end}}