Feature: add ipsec as new option to enable IPSec network

[ableischwitz]

• Add new option ipsec to enable IPSec during installation.
• As OpenShift seem to make this a day2 operation, there is a additional option ipsec_only_on_day2 which does the needed change after the installation. The user will have to make sure that the MTU is adjusted to handle the additonal 50 bytes of IPSec. The ipsec option already makes sure that the MTU (default 1500) is adjusted accordingly.
• Due to this requirement the option mtu was introduced as well (defaults to 1500).

Description

Checklist/ToDo's

• Added documentation?
• Added release note entry? ( docs/release-notes.md )
• Tested?

[rbo]

/ok-to-test

[rbo]

I would suggest moving the ipsec enabled into an add-on.

To adjust the install-config.yaml, I'm plan to add a more generic approach, I don't like for every install-config.yaml setting a option/switch. Something like:

install_config_overwrite: |-
   ovnKubernetesConfig:
    mtu: 1500
    ipsecConfig: {}

and then it merges the generated config with the overwrite. What's your thoughts?

[ableischwitz]

Such merge mechanism would allow quite some flexibility for the configuration, but there should also be an easy way to enable such feature. If manual adjustment would be required, we could use a default config-snippet injected into install-config.yaml, overridden by the special settings given by the user.
This would allow users to easily enable features (with opinionated defaults from the documentation) and also allow further customization. But such adjustment would be needed to be added to 'cluster.yamlfor those adjustments. It also looks like theipsec` option is now moved to a post-installation task - having it as a add-on would probably allow it to be a pre-installation or post-installation task - once there is a pre-installation hook for that.