Add initial support for configuring IPv6 with AWS

cloudmock/aws/mockec2/subnets.go

@@ -74,6 +74,18 @@ func (m *MockEC2) CreateSubnetWithId(request *ec2.CreateSubnetInput, id string)
 		AvailabilityZone: request.AvailabilityZone,
 	}
 
+	if request.Ipv6CidrBlock != nil {
+		subnet.Ipv6CidrBlockAssociationSet = []*ec2.SubnetIpv6CidrBlockAssociation{
+			{
+				AssociationId: aws.String("subnet-cidr-assoc-ipv6-" + id),
+				Ipv6CidrBlock: request.Ipv6CidrBlock,
+				Ipv6CidrBlockState: &ec2.SubnetCidrBlockState{
+					State: aws.String(ec2.SubnetCidrBlockStateCodeAssociated),
+				},
+			},
+		}
+	}
+
 	if m.subnets == nil {
 		m.subnets = make(map[string]*subnetInfo)
 	}

cloudmock/aws/mockec2/vpcs.go

@@ -243,18 +243,33 @@ func (m *MockEC2) AssociateVpcCidrBlock(request *ec2.AssociateVpcCidrBlockInput)
 	if !ok {
 		return nil, fmt.Errorf("VPC %q not found", id)
 	}
-	association := &ec2.VpcCidrBlockAssociation{
-		CidrBlock:     request.CidrBlock,
-		AssociationId: aws.String(fmt.Sprintf("%v-%v", id, len(vpc.main.CidrBlockAssociationSet))),
-		CidrBlockState: &ec2.VpcCidrBlockState{
-			State: aws.String(ec2.VpcCidrBlockStateCodeAssociated),
-		},
+	var ipv4association *ec2.VpcCidrBlockAssociation
+	var ipv6association *ec2.VpcIpv6CidrBlockAssociation
+	if aws.BoolValue(request.AmazonProvidedIpv6CidrBlock) {
+		ipv6association = &ec2.VpcIpv6CidrBlockAssociation{
+			Ipv6Pool:      aws.String("Amazon"),
+			Ipv6CidrBlock: aws.String("2001:db8::/56"),
+			AssociationId: aws.String(fmt.Sprintf("%v-%v", id, len(vpc.main.Ipv6CidrBlockAssociationSet))),
+			Ipv6CidrBlockState: &ec2.VpcCidrBlockState{
+				State: aws.String(ec2.VpcCidrBlockStateCodeAssociated),
+			},
+		}
+		vpc.main.Ipv6CidrBlockAssociationSet = append(vpc.main.Ipv6CidrBlockAssociationSet, ipv6association)
+	} else {
+		ipv4association = &ec2.VpcCidrBlockAssociation{
+			CidrBlock:     request.CidrBlock,
+			AssociationId: aws.String(fmt.Sprintf("%v-%v", id, len(vpc.main.CidrBlockAssociationSet))),
+			CidrBlockState: &ec2.VpcCidrBlockState{
+				State: aws.String(ec2.VpcCidrBlockStateCodeAssociated),
+			},
+		}
+		vpc.main.CidrBlockAssociationSet = append(vpc.main.CidrBlockAssociationSet, ipv4association)
 	}
-	vpc.main.CidrBlockAssociationSet = append(vpc.main.CidrBlockAssociationSet, association)
 
 	return &ec2.AssociateVpcCidrBlockOutput{
-		CidrBlockAssociation: association,
-		VpcId:                request.VpcId,
+		CidrBlockAssociation:     ipv4association,
+		Ipv6CidrBlockAssociation: ipv6association,
+		VpcId:                    request.VpcId,
 	}, nil
 }
 

cmd/kops/integration_test.go

@@ -145,6 +145,7 @@ func (i *integrationTest) withNTH() *integrationTest {
 // TestMinimal runs the test on a minimum configuration, similar to kops create cluster minimal.example.com --zones us-west-1a
 func TestMinimal(t *testing.T) {
 	newIntegrationTest("minimal.example.com", "minimal").runTestTerraformAWS(t)
+	newIntegrationTest("minimal.example.com", "minimal").runTestCloudformation(t)
 }
 
 // TestMinimal runs the test on a minimum gossip configuration
@@ -190,9 +191,10 @@ func TestExternalPolicies(t *testing.T) {
 	newIntegrationTest("externalpolicies.example.com", "externalpolicies").runTestTerraformAWS(t)
 }
 
-// TestMinimalCloudformation runs the test on a minimum configuration, similar to kops create cluster minimal.example.com --zones us-west-1a
-func TestMinimalCloudformation(t *testing.T) {
-	newIntegrationTest("minimal.example.com", "minimal-cloudformation").runTestCloudformation(t)
+// TestMinimalIPv6 runs the test on a minimum IPv6 configuration, similar to kops create cluster minimal.example.com --zones us-west-1a
+func TestMinimalIPv6(t *testing.T) {
+	newIntegrationTest("minimal-ipv6.example.com", "minimal-ipv6").runTestTerraformAWS(t)
+	newIntegrationTest("minimal-ipv6.example.com", "minimal-ipv6").runTestCloudformation(t)
 }
 
 // TestMinimalEtcd runs the test on a minimum configuration using custom etcd config, similar to kops create cluster minimal.example.com --zones us-west-1a

cmd/kops/lifecycle_integration_test.go

@@ -62,8 +62,8 @@ func (o *LifecycleTestOptions) AddDefaults() {
 	o.SrcDir = "../../tests/integration/update_cluster/" + o.SrcDir
 }
 
-// TestLifecycleMinimal runs the test on a minimum configuration, similar to kops create cluster minimal.example.com --zones us-west-1a
-func TestLifecycleMinimal(t *testing.T) {
+// TestLifecycleMinimalAWS runs the test on a minimum configuration, similar to kops create cluster minimal.example.com --zones us-west-1a
+func TestLifecycleMinimalAWS(t *testing.T) {
 	runLifecycleTestAWS(&LifecycleTestOptions{
 		t:      t,
 		SrcDir: "minimal",
@@ -111,6 +111,14 @@ func TestLifecyclePrivateKopeio(t *testing.T) {
 	})
 }
 
+// TestLifecycleIPv6 runs the test on a IPv6 topology
+func TestLifecycleIPv6(t *testing.T) {
+	runLifecycleTestAWS(&LifecycleTestOptions{
+		t:      t,
+		SrcDir: "minimal-ipv6",
+	})
+}
+
 // TestLifecycleSharedVPC runs the test on a shared VPC
 func TestLifecycleSharedVPC(t *testing.T) {
 	runLifecycleTestAWS(&LifecycleTestOptions{

k8s/crds/kops.k8s.io_clusters.yaml

@@ -4103,6 +4103,7 @@ spec:
                 items:
                   properties:
                     cidr:
+                      description: CIDR is the IPv4 CIDR block assigned to the subnet.
                       type: string
                     egress:
                       description: Egress defines the method of traffic egress for
@@ -4112,6 +4113,10 @@ spec:
                       description: ProviderID is the cloud provider id for the objects
                         associated with the zone (the subnet on AWS)
                       type: string
+                    ipv6CIDR:
+                      description: IPv6CIDR is the IPv6 CIDR block assigned to the
+                        subnet.
+                      type: string
                     name:
                       type: string
                     publicIP:

pkg/apis/kops/cluster.go

@@ -621,8 +621,10 @@ const (
 type ClusterSubnetSpec struct {
 	// Name is the name of the subnet
 	Name string `json:"name,omitempty"`
-	// CIDR is the network cidr of the subnet
+	// CIDR is the IPv4 CIDR block assigned to the subnet.
 	CIDR string `json:"cidr,omitempty"`
+	// IPv6CIDR is the IPv6 CIDR block assigned to the subnet.
+	IPv6CIDR string `json:"ipv6CIDR,omitempty"`
 	// Zone is the zone the subnet is in, set for subnets that are zonally scoped
 	Zone string `json:"zone,omitempty"`
 	// Region is the region the subnet is in, set for subnets that are regionally scoped

pkg/apis/kops/v1alpha2/cluster.go

@@ -606,7 +606,10 @@ type ClusterSubnetSpec struct {
 	// Region is the region the subnet is in, set for subnets that are regionally scoped
 	Region string `json:"region,omitempty"`
 
+	// CIDR is the IPv4 CIDR block assigned to the subnet.
 	CIDR string `json:"cidr,omitempty"`
+	// IPv6CIDR is the IPv6 CIDR block assigned to the subnet.
+	IPv6CIDR string `json:"ipv6CIDR,omitempty"`
 
 	// ProviderID is the cloud provider id for the objects associated with the zone (the subnet on AWS)
 	ProviderID string `json:"id,omitempty"`

pkg/apis/kops/validation/validation.go

@@ -39,6 +39,7 @@ import (
 	"k8s.io/kops/pkg/model/components"
 	"k8s.io/kops/pkg/model/iam"
 	"k8s.io/kops/upup/pkg/fi"
+	"k8s.io/kops/upup/pkg/fi/utils"
 )
 
 func newValidateCluster(cluster *kops.Cluster) field.ErrorList {
@@ -78,7 +79,7 @@ func newValidateCluster(cluster *kops.Cluster) field.ErrorList {
 func validateClusterSpec(spec *kops.ClusterSpec, c *kops.Cluster, fieldPath *field.Path) field.ErrorList {
 	allErrs := field.ErrorList{}
 
-	allErrs = append(allErrs, validateSubnets(spec.Subnets, fieldPath.Child("subnets"))...)
+	allErrs = append(allErrs, validateSubnets(spec, fieldPath.Child("subnets"))...)
 
 	// SSHAccess
 	for i, cidr := range spec.SSHAccess {
@@ -312,7 +313,11 @@ func validateCIDR(cidr string, fieldPath *field.Path) field.ErrorList {
 		if !strings.Contains(cidr, "/") {
 			ip := net.ParseIP(cidr)
 			if ip != nil {
-				detail += fmt.Sprintf(" (did you mean \"%s/32\")", cidr)
+				if ip.To4() != nil && !strings.Contains(cidr, ":") {
+					detail += fmt.Sprintf(" (did you mean \"%s/32\")", cidr)
+				} else {
+					detail += fmt.Sprintf(" (did you mean \"%s/64\")", cidr)
+				}
 			}
 		}
 		allErrs = append(allErrs, field.Invalid(fieldPath, cidr, detail))
@@ -324,6 +329,16 @@ func validateCIDR(cidr string, fieldPath *field.Path) field.ErrorList {
 	return allErrs
 }
 
+func validateIPv6CIDR(cidr string, fieldPath *field.Path) field.ErrorList {
+	allErrs := validateCIDR(cidr, fieldPath)
+
+	if !utils.IsIPv6CIDR(cidr) {
+		allErrs = append(allErrs, field.Invalid(fieldPath, cidr, "Network is not an IPv6 CIDR"))
+	}
+
+	return allErrs
+}
+
 func validateTopology(topology *kops.TopologySpec, fieldPath *field.Path) field.ErrorList {
 	allErrs := field.ErrorList{}
 
@@ -360,9 +375,11 @@ func validateTopology(topology *kops.TopologySpec, fieldPath *field.Path) field.
 	return allErrs
 }
 
-func validateSubnets(subnets []kops.ClusterSubnetSpec, fieldPath *field.Path) field.ErrorList {
+func validateSubnets(cluster *kops.ClusterSpec, fieldPath *field.Path) field.ErrorList {
 	allErrs := field.ErrorList{}
 
+	subnets := cluster.Subnets
+
 	// cannot be empty
 	if len(subnets) == 0 {
 		allErrs = append(allErrs, field.Required(fieldPath, ""))
@@ -395,6 +412,14 @@ func validateSubnets(subnets []kops.ClusterSubnetSpec, fieldPath *field.Path) fi
 		}
 	}
 
+	if kops.CloudProviderID(cluster.CloudProvider) != kops.CloudProviderAWS {
+		for i := range subnets {
+			if subnets[i].IPv6CIDR != "" {
+				allErrs = append(allErrs, field.Forbidden(fieldPath.Child("ipv6CIDR"), "ipv6CIDR can only be specified for AWS"))
+			}
+		}
+	}
+
 	return allErrs
 }
 
@@ -410,6 +435,10 @@ func validateSubnet(subnet *kops.ClusterSubnetSpec, fieldPath *field.Path) field
 	if subnet.CIDR != "" {
 		allErrs = append(allErrs, validateCIDR(subnet.CIDR, fieldPath.Child("cidr"))...)
 	}
+	// IPv6CIDR
+	if subnet.IPv6CIDR != "" {
+		allErrs = append(allErrs, validateIPv6CIDR(subnet.IPv6CIDR, fieldPath.Child("ipv6CIDR"))...)
+	}
 
 	if subnet.Egress != "" {
 		egressType := strings.Split(subnet.Egress, "-")[0]

pkg/apis/kops/validation/validation_test.go

@@ -155,9 +155,42 @@ func TestValidateSubnets(t *testing.T) {
 			},
 			ExpectedErrors: []string{"Invalid value::subnets[0].cidr"},
 		},
+		{
+			Input: []kops.ClusterSubnetSpec{
+				{Name: "a", IPv6CIDR: "2001:db8::/56"},
+			},
+		},
+		{
+			Input: []kops.ClusterSubnetSpec{
+				{Name: "a", IPv6CIDR: "10.0.0.0/8"},
+			},
+			ExpectedErrors: []string{"Invalid value::subnets[0].ipv6CIDR"},
+		},
+		{
+			Input: []kops.ClusterSubnetSpec{
+				{Name: "a", IPv6CIDR: "::ffff:10.128.0.0"},
+			},
+			ExpectedErrors: []string{"Invalid value::subnets[0].ipv6CIDR"},
+		},
+		{
+			Input: []kops.ClusterSubnetSpec{
+				{Name: "a", IPv6CIDR: "::ffff:10.128.0.0/8"},
+			},
+			ExpectedErrors: []string{"Invalid value::subnets[0].ipv6CIDR"},
+		},
+		{
+			Input: []kops.ClusterSubnetSpec{
+				{Name: "a", CIDR: "::ffff:10.128.0.0/8"},
+			},
+			ExpectedErrors: []string{"Invalid value::subnets[0].cidr"},
+		},
 	}
 	for _, g := range grid {
-		errs := validateSubnets(g.Input, field.NewPath("subnets"))
+		cluster := &kops.ClusterSpec{
+			CloudProvider: "aws",
+			Subnets:       g.Input,
+		}
+		errs := validateSubnets(cluster, field.NewPath("subnets"))
 
 		testErrors(t, g.Input, errs, g.ExpectedErrors)
 	}