However, the IPSec configuration is tedious and complicated. It requires ONTAP security policy database(SPD) configuration as well as IPSec configuration on the host machine. To separately manage both these configs are a lot of pain for ONTAP end user.
It would be good if trident can add a IPSec support so that user can provide a data subnet range, and then trident can
Generate a separate security key for each node CSI driver will be running
Automatically talk to ONTAP api and generate the necessary SPD entry with the key and ip.
Automatically configure Host machine to enable IPSec using software like strongSwan
Dynamically add or remove SPD entry when cluster scales.
This would be a great solution for users that have stricter security restriction.
Wondering if this is a solid solution and worth putting time to implement.
g0053
commented
1 year ago
Describe the solution you'd like ONTAP supports IPSec as the only data in transit encryption option for iSCSI. Context: https://docs.netapp.com/us-en/ontap/networking/configure_ip_security_@ipsec@_over_wire_encryption.html
However, the IPSec configuration is tedious and complicated. It requires ONTAP security policy database(SPD) configuration as well as IPSec configuration on the host machine. To separately manage both these configs are a lot of pain for ONTAP end user.
It would be good if trident can add a IPSec support so that user can provide a data subnet range, and then trident can
This would be a great solution for users that have stricter security restriction.
Wondering if this is a solid solution and worth putting time to implement.
/cc @msau42 @bswartz