Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IPv6 dual stack support not working as intended #5004

Closed
tekulvw opened this issue Jan 4, 2025 · 1 comment · Fixed by #5019
Closed

IPv6 dual stack support not working as intended #5004

tekulvw opened this issue Jan 4, 2025 · 1 comment · Fixed by #5019
Labels
cherrypick/release-v1.2.5 help wanted Extra attention is needed kind/bug Something isn't working
Milestone
v1.3.0

Comments

@tekulvw
Copy link
Contributor

tekulvw commented Jan 4, 2025

Description:
I have recently stood up a k8s cluster with calico CNI and dual stack support. To my understanding, I need to explicitly specify IP family DualStack in a custom EnvoyProxy resource definition and link that to a gateway in order to get IPv6 support. After configuring this with a dedicated gateway, the gateway service is created with ipFamily: SingleStack and it pulls only an IPv4 address. If I use EnvoyProxy.spec.provider.kubernetes.patch to explicitly patch in ipFamilyPolicy: RequireDualStack the gateway service is granted an IPv6 address (from my metallb pool) but never passes readiness checks.

I'm looking for any direction I can get to debug this problem. I've tried helm chart v1.2.3, v1.2.4, and v0.0.0-latest as of this posting.

I have tested this out against the authentik helm chart. I have manually patched the created service to PreferDualStack and have confirmed it has a cluster IPv6 address (though I don't know if this is required for EG to route to it).

The gateway configuration below functions correctly as written over IPv4.

Repro steps:

apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
  name: ipv6-dynamic-pool
  namespace: metallb
spec:
  autoAssign: false
  avoidBuggyIPs: true
  addresses:
    - omitted_ipv4/24
    - omitted_ipv6/116
---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyProxy
metadata:
  name: homelab-proxy-ipv6-config
spec:
  provider:
    type: Kubernetes
    kubernetes:
      envoyDeployment:
        replicas: 2
      envoyService:
        annotations:
          metallb.io/address-pool: ipv6-dynamic-pool
  ipFamily: DualStack
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: eg-ipv6
  annotations:
    cert-manager.io/issuer: letsencrypt-prod
spec:
  gatewayClassName: eg
  infrastructure:
    parametersRef:
      group: gateway.envoyproxy.io
      kind: EnvoyProxy
      name: homelab-proxy-ipv6-config
  listeners:
    - name: http
      port: 80
      protocol: HTTP
      hostname: "xxx"
      allowedRoutes:
        namespaces:
          from: All
    - name: https
      port: 443
      protocol: HTTPS
      hostname: "xxx"
      tls:
        mode: Terminate
        certificateRefs:
          - name: xxx
      allowedRoutes:
        namespaces:
          from: All
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: authentik-route
  namespace: authentik
spec:
  parentRefs:
    - name: eg
      namespace: gateway
      sectionName: https
    - name: eg-ipv6
      namespace: gateway
      sectionName: http
    - name: eg-ipv6
      namespace: gateway
      sectionName: https
  hostnames:
    - "xxx"
    - "xxx"
  rules:
    - backendRefs:
        - name: authentik-server
          namespace: authentik
          kind: Service
          port: 80

Environment:

EG helm chart v1.2.3, v1.2.4, v0.0.0-latest

Logs:

Please let me know which logs I need to grab, I am not quite sure what is helpful.
@tekulvw tekulvw added the triage label Jan 4, 2025
@arkodg arkodg added kind/bug Something isn't working and removed triage labels Jan 6, 2025
@arkodg arkodg added this to the v1.3.0 milestone Jan 6, 2025
@arkodg
Copy link
Contributor

arkodg commented Jan 6, 2025

looks like a bug, can't see the code setting the ipFamily

gateway/internal/infrastructure/kubernetes/proxy/resource_provider.go

Line 155 in 43621b4

// Set the spec of gateway service

cc @zirain @juwon8891

@arkodg arkodg added help wanted Extra attention is needed cherrypick/release-v1.2.5 labels Jan 6, 2025
@tekulvw tekulvw mentioned this issue Jan 7, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
cherrypick/release-v1.2.5 help wanted Extra attention is needed kind/bug Something isn't working
Projects
None yet
Milestone
v1.3.0
Development

Successfully merging a pull request may close this issue.

fix: explicitly set ip family and family policy in gateway spec tekulvw/gateway
2 participants
@tekulvw @arkodg