add more info

Signed-off-by: clyi <[email protected]>
kubeovn · Aug 12, 2024 · bca6ac3 · bca6ac3
1 parent c265713
commit bca6ac3
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 4 deletions.
diff --git a/docs/advance/ovn-ipsec.en.md b/docs/advance/ovn-ipsec.en.md
@@ -1,7 +1,12 @@
-# Use IPsec to encrypt communication between node
+
+# Use IPsec to encrypt communication between nodes
 
 This function is supported from v1.13.0 onwards, and the host UDP 500 and 4500 ports need to be available.
 
-## Start IPsec
+## Encryption process
+
+kube-ovn-cni is responsible for applying for certificates and will create a certificate signing request to kube-ovn-controller. kube-ovn-controller will automatically approve the certificate application, and then kube-ovn-cni will generate an ipsec configuration file based on the certificate and finally start the ipsec process.
+
+## Configure IPsec
 
-Change the args `--enable-ovn-ipsec=false` in kube-ovn-controller and kube-ovn-cni to `--enable-ovn-ipsec=true`.
+Change the args `--enable-ovn-ipsec=false` in kube-ovn-controller and kube-ovn-cni to `--enable-ovn-ipsec=true`.
diff --git a/docs/advance/ovn-ipsec.md b/docs/advance/ovn-ipsec.md
@@ -2,6 +2,10 @@
 
 该功能从 v1.13.0 后支持，同时需要保证主机 UDP 500 和 4500 端口可用。
 
-## 启动 IPsec
+## 加密流程
+
+kube-ovn-cni 负责将证书申请，会创建一个 certificatesigningrequest 给 kube-ovn-controller，kube-ovn-controller 会自动 approve 证书申请，然后 kube-ovn-cni 会根据证书生成 ipsec 配置文件，最后启动 ipsec 进程。
+
+## 配置 IPsec
 
 将 kube-ovn-controller 和 kube-ovn-cni 中的 args `--enable-ovn-ipsec=false` 修改为 `--enable-ovn-ipsec=true`。