Address review feedback - 2

pkg/apis/kops/validation/validation_test.go

@@ -166,6 +166,24 @@ func TestValidateSubnets(t *testing.T) {
 			},
 			ExpectedErrors: []string{"Invalid value::subnets[0].ipv6CIDR"},
 		},
+		{
+			Input: []kops.ClusterSubnetSpec{
+				{Name: "a", IPv6CIDR: "::ffff:10.128.0.0"},
+			},
+			ExpectedErrors: []string{"Invalid value::subnets[0].ipv6CIDR"},
+		},
+		{
+			Input: []kops.ClusterSubnetSpec{
+				{Name: "a", IPv6CIDR: "::ffff:10.128.0.0/8"},
+			},
+			ExpectedErrors: []string{"Invalid value::subnets[0].ipv6CIDR"},
+		},
+		{
+			Input: []kops.ClusterSubnetSpec{
+				{Name: "a", CIDR: "::ffff:10.128.0.0/8"},
+			},
+			ExpectedErrors: []string{"Invalid value::subnets[0].cidr"},
+		},
 	}
 	for _, g := range grid {
 		cluster := &kops.ClusterSpec{

pkg/model/awsmodel/api_loadbalancer.go

@@ -350,10 +350,10 @@ func (b *APILoadBalancerBuilder) Build(c *fi.ModelBuilderContext) error {
 					Name:          fi.String("icmpv6-pmtu-api-elb-" + cidr),
 					Lifecycle:     b.SecurityLifecycle,
 					IPv6CIDR:      fi.String(cidr),
-					FromPort:      fi.Int64(2),
+					FromPort:      fi.Int64(-1),
 					Protocol:      fi.String("icmpv6"),
 					SecurityGroup: lbSG,
-					ToPort:        fi.Int64(0),
+					ToPort:        fi.Int64(-1),
 				})
 			} else {
 				c.AddTask(&awstasks.SecurityGroupRule{
@@ -401,10 +401,10 @@ func (b *APILoadBalancerBuilder) Build(c *fi.ModelBuilderContext) error {
 						Name:          fi.String("icmpv6-pmtu-api-elb-" + cidr),
 						Lifecycle:     b.SecurityLifecycle,
 						IPv6CIDR:      fi.String(cidr),
-						FromPort:      fi.Int64(2),
+						FromPort:      fi.Int64(-1),
 						Protocol:      fi.String("icmpv6"),
 						SecurityGroup: masterGroup.Task,
-						ToPort:        fi.Int64(0),
+						ToPort:        fi.Int64(-1),
 					})
 				} else {
 					c.AddTask(&awstasks.SecurityGroupRule{

tests/integration/update_cluster/minimal-ipv6/cloudformation.json

@@ -770,8 +770,8 @@
         "GroupId": {
           "Ref": "AWSEC2SecurityGroupmastersminimalipv6examplecom"
         },
-        "FromPort": 2,
-        "ToPort": 0,
+        "FromPort": -1,
+        "ToPort": -1,
         "IpProtocol": "icmpv6",
         "CidrIpv6": "::/0"
       }

tests/integration/update_cluster/minimal-ipv6/kubernetes.tf

@@ -731,11 +731,11 @@ resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" {
 }
 
 resource "aws_security_group_rule" "icmpv6-pmtu-api-elb-__--0" {
-  from_port         = 2
+  from_port         = -1
   ipv6_cidr_blocks  = ["::/0"]
   protocol          = "icmpv6"
   security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id
-  to_port           = 0
+  to_port           = -1
   type              = "ingress"
 }
 

upup/pkg/fi/cloudup/awstasks/vpc.go

@@ -36,16 +36,17 @@ type VPC struct {
 	Name      *string
 	Lifecycle *fi.Lifecycle
 
-	ID                 *string
-	CIDR               *string
-	EnableDNSHostnames *bool
-	EnableDNSSupport   *bool
+	ID   *string
+	CIDR *string
 
-	// Used only for Terraform rendering.
+	// AmazonIPv6 is used only for Terraform rendering.
 	// Direct and CloudFormation rendering is handled via the VPCAmazonIPv6CIDRBlock task
 	AmazonIPv6 *bool
 	IPv6CIDR   *string
 
+	EnableDNSHostnames *bool
+	EnableDNSSupport   *bool
+
 	// Shared is set if this is a shared VPC
 	Shared *bool
 

upup/pkg/fi/cloudup/awstasks/vpcamazonipv6cidrblock.go

@@ -1,5 +1,5 @@
 /*
-Copyright 2019 The Kubernetes Authors.
+Copyright 2021 The Kubernetes Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.