New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenStack: enable IPv6 primary dual-stack cluster #7259
Conversation
Skipping CI for Draft Pull Request. |
/retest |
7ead0bd
to
798e0a5
Compare
/test unit |
/retest |
Nodes and Pods were listing IPv6 address first in the list of addresses. |
/cc @gryf |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One error for icmp, the rest looks good.
This commit removes the restriction of only allowing IPv4 first dual-stack clusters. Also, in preparation for future single stack IPv6 clusters, it duplicates all the existent security group rules to work with IPv6 ethertype, with exception of IKE nat, given there is no nat for IPv6.
798e0a5
to
2748047
Compare
/lgtm |
/assign @pawanpinjarkar as the bot suggests |
/assign @pawanpinjarkar |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good. I was surprised at first that we didn't have V6 equivalent to master_ingress_ike_nat_t
and worker_ingress_ike_nat_t
rules, but then I remembered that NAT does not really make sense with IPv6.
/lgtm
/test e2e-aws-ovn |
@MaysaMacedo: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/retest |
/hold Revision 2748047 was retested 3 times: holding |
/hold cancel |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm late to the party, but here's a comment about something that stands out to me.
resource "openstack_networking_secgroup_rule_v2" "worker_ingress_services_udp_v6" { | ||
count = length(var.machine_v6_cidrs) | ||
direction = "ingress" | ||
ethertype = "IPv6" | ||
protocol = "udp" | ||
port_range_min = 30000 | ||
port_range_max = 32767 | ||
remote_ip_prefix = element(var.machine_v6_cidrs, count.index) | ||
security_group_id = openstack_networking_secgroup_v2.worker.id | ||
description = local.description | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here.
resource "openstack_networking_secgroup_rule_v2" "worker_ingress_services_tcp_v6" { | ||
count = length(var.machine_v6_cidrs) | ||
direction = "ingress" | ||
ethertype = "IPv6" | ||
protocol = "tcp" | ||
port_range_min = 30000 | ||
port_range_max = 32767 | ||
remote_ip_prefix = element(var.machine_v6_cidrs, count.index) | ||
security_group_id = openstack_networking_secgroup_v2.worker.id | ||
description = local.description | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This feels like something that should have been here since dual stack support, i.e. IPv6 LoadBalancer Services need this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought about this, but when I tried connecting to a IPv6 LB without it in tech preview, it worked fine.
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dulek, EmilienM, sadasu The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest-required |
/retest-required |
/hold Revision 2748047 was retested 3 times: holding |
/hold cancel |
/retest-required |
/retest |
1 similar comment
/retest |
/test e2e-aws-ovn |
@MaysaMacedo: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
This commit removes the enforcement of the ordering IPv4 to api and ingress VIPs and adds IPv6 security group rules to allow ingress and egress traffic over IPv6.