Add service dependencies for openvswitch-ipsec.service

The openvswitch-ipsec must be started only after ipsec.service and
it has to be up before crio and kubelet service, so add appropriate
systemd service dependencies for openvswitch-ipsec.service.

It also removes a workaround that was needed in ipsec-connect-wait
script to explicitly trigger pluto to establish IPSec IKE SAs with
peer nodes.

Signed-off-by: Periyasamy Palanisamy <[email protected]>

Author: pperiyasamy

templates/common/_base/files/wait-for-ipsec-connect.yaml

@@ -9,15 +9,8 @@ contents:
       exit 0
     fi
 
-    #
-    if ! grep -q "auto=start" /etc/ipsec.d/openshift.conf; then
-      sed -i '/^.*conn ovn.*$/a\    auto=start' /etc/ipsec.d/openshift.conf
-    fi
-
     cat /etc/ipsec.d/openshift.conf
 
-    chroot /proc/1/root ipsec restart
-
     timeout=180
     elapsed=0
     desiredconn=""

templates/common/_base/units/openvswitch-ipsec.service.yaml

@@ -0,0 +1,7 @@
+name: openvswitch-ipsec.service
+dropins:
+  - name: 01-after-pluto-start.conf
+    contents: |
+      [Unit]
+      After=ipsec.service
+      Before=crio.service

templates/common/_base/units/wait-for-ipsec-connect.yaml

@@ -3,7 +3,7 @@ enabled: true
 contents: |
   [Unit]
   Description=Ensure IKE SA established for existing IPsec connections.
-  After=ipsec.service
+  After=openvswitch-ipsec.service
   Before=kubelet-dependencies.target node-valid-hostname.service
 
   [Service]