Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ambassador does not accept Ipv4 requests in dual stack mode #4012

Open
steffenries opened this issue Jan 18, 2022 · 5 comments
Open

Ambassador does not accept Ipv4 requests in dual stack mode #4012

steffenries opened this issue Jan 18, 2022 · 5 comments
Labels
t:feature New feature or enhancement request

Comments

@steffenries
Copy link

Describe the bug
When I configure ambassador in an IPv4/IPv6 dual stack environment, requests are accepted either for IPv4 or IPv6. It is not possible to set up the proxy to accept requests for both protocols

To Reproduce

  1. install ambassador with IPv4 load balancer IP and env.AMBASSADOR_ENVOY_BIND_ADDRESS='::' to start listening on IPv6.
    e.g.
helm install ambassador datawire/ambassador --version 6.9.3 --set service.type=LoadBalancer --set service.loadBalancerIP=10.0.0.1 --set env.AMBASSADOR_ENVOY_BIND_ADDRESS='::'
  1. configure Service using IPv6 load balancer IP:
    e.g.
kubectl apply -f - <<!
apiVersion: v1
kind: Service
metadata:
  name: ambassador-v6
spec:
  ipFamilies:
    - IPv6
  loadBalancerIP: fd00::1
  selector:
    app.kubernetes.io/instance: ambassador
    app.kubernetes.io/name: ambassador
  type: LoadBalancer
  ports:
    - name: http
      port: 80
      targetPort: 8080
    - name: https
      port: 443
      targetPort: 8443
!

Expected behavior

Connections to both IPv4 and IPv6 endpoint should be accepted. In the example above both "curl http://10.0.01" and "curl http://[fd00::1]" should be accessible.

If AMBASSADOR_ENVOY_BIND_ADDRESS='::' is configured, ONLY IPv6 requests are accepted. If AMBASSADOR_ENVOY_BIND_ADDRESS is not configured ONLY IPv4 requests are accepted.

Versions (please complete the following information):

  • Ambassador: 1.14.2
  • Kubernetes environment bare metal (MetalLB to provide load balanced addresses)
  • Version 1.21.2

Additional context

Envoy supports the option "ipv4_compat" to allow listeners listening on in6addr_any ("::") to accept ipv4 requests. The flag is not set when creating envoy/envoy.json which leads to the single stack behavior.

This patch enables ip4_compat unconditionally:

diff --git a/python/ambassador/envoy/v2/v2listener.py b/python/ambassador/envoy/v2/v2listener.py
index 555fd9460..c465884ef 100644
--- a/python/ambassador/envoy/v2/v2listener.py
+++ b/python/ambassador/envoy/v2/v2listener.py
@@ -617,7 +617,8 @@ class V2TCPListener(dict):
                 'socket_address': {
                     'address': self.bind_address,
                     'port_value': group.port,
-                    'protocol': 'TCP'
+                    'protocol': 'TCP',
+                    'ipv4_compat': True
                 }
             },
             'filter_chains': []
@@ -1144,7 +1145,8 @@ class V2Listener(dict):
             "socket_address": {
                 "address": envoy_bind_address,
                 "port_value": self.service_port,
-                "protocol": "TCP"
+                "protocol": "TCP",
+                "ipv4_compat": True
             }
         }

diff --git a/python/ambassador/envoy/v3/v3listener.py b/python/ambassador/envoy/v3/v3listener.py
index e6d8d5c5c..8665df4ea 100644
--- a/python/ambassador/envoy/v3/v3listener.py
+++ b/python/ambassador/envoy/v3/v3listener.py
@@ -636,7 +636,8 @@ class V3TCPListener(dict):
                 'socket_address': {
                     'address': self.bind_address,
                     'port_value': group.port,
-                    'protocol': 'TCP'
+                    'protocol': 'TCP',
+                    'ipv4_compat': True
                 }
             },
             'filter_chains': []
@@ -1187,7 +1188,8 @@ class V3Listener(dict):
             "socket_address": {
                 "address": envoy_bind_address,
                 "port_value": self.service_port,
-                "protocol": "TCP"
+                "protocol": "TCP",
+                "ipv4_compat": True
             }
         }
@alexgervais alexgervais added the t:feature New feature or enhancement request label Jan 18, 2022
@alexgervais
Copy link
Contributor

Thanks for raising this issue and providing a suggested fix @steffenries! I've tagged it as a feature request for a future release.

@lorenzo-biava
Copy link

@alexgervais we are also interested in running Emissary in dual-stack mode. Was this ever implemented in the end? I've been looking around in the doc and code but can't really find anything about it.

This was referenced Jan 30, 2024
Open
Open
@nsaujla
Copy link

nsaujla commented May 7, 2024

@alexgervais Any update on this?

@alexgervais
Copy link
Contributor

Hi @nsaujla, @lorenzo-biava. I'm no longer a maintainer or affiliated with Emissary-ingress. I'm not going to be able to move this forward.

@nsaujla
Copy link

nsaujla commented May 7, 2024

@cindymullins-dw Can you please help with this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
t:feature New feature or enhancement request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@alexgervais @lorenzo-biava @steffenries @nsaujla