Tanzu

 Enabling traffic encryption with Antrea

Alvaro Fernandez Rodriguez's profile image
Alvaro Fernandez Rodriguez posted Jul 10, 2024 03:57 AM

Hello,

I've been trying to enable traffic encryption in a TKGs workload cluster using Antrea as CNI.

As soon as I edit the antrea-config configmap to enable it, it gets restored to its default state.

I have also tried to modify the antreaconfig CRD in my Supervisor, but trafficEncryptionMode is not a field of the spec.

Is this a supported configuration? Maybe I can mess with the Antrea package that is auto-installed?

Thanks in advance.

Nicholas Marts's profile image
Broadcom Employee Nicholas Marts posted Jul 10, 2024 12:27 PM

Hello Alvaro,

Thanks so much for the great question! Unfortunately right now, the Antrea package is configured/managed by the supervisor cluster base off of the supervisor cluster's desired state for that guest cluster. 

I have escalated to our engineering team about exposing these kinds of configurations in a future version and sited your specific use case. 

-Nick

vSphere with Tanzu Global Support Lead

Alvaro Fernandez Rodriguez's profile image
Alvaro Fernandez Rodriguez posted Jul 11, 2024 09:47 AM

Hello Nicholas, 

Thanks for your answer. Would we be able to modify this setting if we deployed TKGm instead?

I see it mentioned in the management cluster configuration doc, but it isn't clear to me if this is only for the management cluster, or if I can also apply it in the workload clusters as I can't see it in the workload cluster creation doc.

Thanks again for your time.