Support IPsec Certificate-based Authentication

[xliuxu]

Introduce a new authentication mode for IPsec tunnel encryption.
A new config ipsec.authenticationMode is added to the Agent.
Now Antrea supports both "psk" and "cert" modes for IPsec
authentication If "cert" is enabled, Antrea Agent will request IPsec
certificates by Kubernetes CertificateSigningRequests API with
signer name antrea.io/antrea-agent-ipsec-tunnel. Antrea Controller
will validate the requests and issue certificates if the request is
permitted.

The signer antrea.io/antrea-agent-ipsec-tunnel in Antrea Controller
has the following properties:

• Trust distribution - CA certificate will be saved as a ConfigMap
  antrea-ipsec-ca in kube-system namespace.
• Permitted subjects - organizations are exactly ["antrea.io"], common
  name must be one of the Node names.
• Permitted x509 extension - honors key usage and DNSName
  extensions, forbids other subjectAltName extensions. DNS name
  must be the same as the common name.
• Permitted key usages - exactly ["ipsec tunnel"]
• Expiration/certificate lifetime - defaults to 1 year.
• CA bit allowed/disallowed - not allowed.

The CSRs can be automatically approved by default. Antrea Controller
will validate Pod identity to provide maximum security if the Kubernetes
BoundServiceAccountTokenVolume feature gate is enabled. Antrea
Agents will renew certificates automatically when the certificate
reaches approximately 80% of the lifetime.

This feature requires feature gate IPsecCertAuth to be enabled.

Closes: #3765

Signed-off-by: Xu Liu xliu2@vmware.com

[codecov-commenter]

Codecov Report

Merging #3778 (a9d57fb) into main (05504f0) will decrease coverage by 1.38%.
The diff coverage is 61.81%.

@@            Coverage Diff             @@
##             main    #3778      +/-   ##
==========================================
- Coverage   62.12%   60.73%   -1.39%     
==========================================
  Files         281      290       +9     
  Lines       40096    41219    +1123     
==========================================
+ Hits        24909    25035     +126     
- Misses      13215    14154     +939     
- Partials     1972     2030      +58     

Flag	Coverage Δ
kind-e2e-tests	45.51% <5.70%> (-2.37%)	⬇️
unit-tests	44.30% <57.79%> (+0.38%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
pkg/agent/config/node_config.go	100.00% <ø> (ø)
pkg/agent/interfacestore/types.go	66.66% <0.00%> (ø)
pkg/features/antrea_features.go	11.11% <ø> (ø)
pkg/agent/agent.go	53.80% <26.31%> (-0.87%)	⬇️
pkg/ovs/ovsconfig/ovs_client.go	46.66% <41.66%> (-0.72%)	⬇️
pkg/agent/config/ipsec_authentication_mode.go	53.84% <53.84%> (ø)
...catesigningrequest/ipsec_csr_signing_controller.go	61.65% <61.65%> (ø)
...r/ipseccertificate/ipsec_certificate_controller.go	62.54% <62.54%> (ø)
pkg/controller/certificatesigningrequest/common.go	64.58% <64.58%> (ø)
...er/certificatesigningrequest/ipsec_csr_approver.go	66.27% <66.27%> (ø)
... and 82 more

[jianjuns]

I feel we need a feature gate for this.

[xliuxu]

During the manual tests, i found that keeping certificate names while rotating certificates will not work. Not only because the monitor script of OVS will not detect such changes, strongswan will also not load the certificate as long as the cert defined in ipsec.conf is not changed. And there is no command to trigger re-reading the certificate other than ipsec reload, which is too heavy. So I changed the renewal approach to creating different files for new certificates.

[xliuxu]

/test-e2e

[xliuxu]

/test-e2e

[tnqn]

LGTM, thanks

[tnqn]

/test-all
/test-ipv6-e2e
/test-ipv6-only-e2e

[xliuxu]

/test-all
/test-ipv6-e2e
/test-ipv6-only-e2e

[xliuxu]

/test-networkpolicy

[tnqn]

/test-networkpolicy

[xliuxu]

/test-networkpolicy

[xliuxu]

/test-networkpolicy

[xliuxu]

/test-networkpolicy

[xliuxu]

/test-networkpolicy