Tanzu

 View Only

 Enabling traffic encryption with Antrea

Alvaro Fernandez Rodriguez's profile image
Alvaro Fernandez Rodriguez posted Jul 10, 2024 03:57 AM

Hello,

I've been trying to enable traffic encryption in a TKGs workload cluster using Antrea as CNI.

As soon as I edit the antrea-config configmap to enable it, it gets restored to its default state.

I have also tried to modify the antreaconfig CRD in my Supervisor, but trafficEncryptionMode is not a field of the spec.

Is this a supported configuration? Maybe I can mess with the Antrea package that is auto-installed?

Thanks in advance.

Nicholas Marts's profile image
Broadcom Employee Nicholas Marts

Hello Alvaro,

Thanks so much for the great question! Unfortunately right now, the Antrea package is configured/managed by the supervisor cluster base off of the supervisor cluster's desired state for that guest cluster. 

I have escalated to our engineering team about exposing these kinds of configurations in a future version and sited your specific use case. 

-Nick

vSphere with Tanzu Global Support Lead

Alvaro Fernandez Rodriguez's profile image
Alvaro Fernandez Rodriguez

Hello Nicholas, 

Thanks for your answer. Would we be able to modify this setting if we deployed TKGm instead?

I see it mentioned in the management cluster configuration doc, but it isn't clear to me if this is only for the management cluster, or if I can also apply it in the workload clusters as I can't see it in the workload cluster creation doc.

Thanks again for your time.