ec2: support option HTTPProtocolIPv6 for EC2 IMDS

tthvo · tthvo · commit 09cdc37cab90 · 2025-08-05T11:04:58.000-07:00
The httpProtocolIPv6 field enables or disables the IPv6 endpoint of the
instance metadata service. The SDK only applies this field if
httpEndpoint is enabled.

When running on single-stack IPv6, pods only have IPv6, thus requiring
an IPv6 endpoint to query IMDS as IPv4 network is unreachable.
diff --git a/api/v1beta2/awsmachinetemplate_webhook_test.go b/api/v1beta2/awsmachinetemplate_webhook_test.go
@@ -127,6 +127,7 @@ func TestAWSMachineTemplateValidateUpdate(t *testing.T) {
 							InstanceType: "test",
 							InstanceMetadataOptions: &InstanceMetadataOptions{
 								HTTPEndpoint:            InstanceMetadataEndpointStateEnabled,
+								HTTPProtocolIPv6:        InstanceMetadataEndpointStateDisabled,
 								HTTPPutResponseHopLimit: 1,
 								HTTPTokens:              HTTPTokensStateOptional,
 								InstanceMetadataTags:    InstanceMetadataEndpointStateDisabled,
diff --git a/api/v1beta2/types.go b/api/v1beta2/types.go
@@ -324,6 +324,15 @@ type InstanceMetadataOptions struct {
 	// +kubebuilder:default=enabled
 	HTTPEndpoint InstanceMetadataState `json:"httpEndpoint,omitempty"`
 
+	// Enables or disables the IPv6 endpoint for the instance metadata service.
+	// This applies only if you enabled the HTTP metadata endpoint.
+	//
+	// Default: disabled
+	//
+	// +kubebuilder:validation:Enum:=enabled;disabled
+	// +kubebuilder:default=disabled
+	HTTPProtocolIPv6 InstanceMetadataState `json:"httpProtocolIpv6,omitempty"`
+
 	// The desired HTTP PUT response hop limit for instance metadata requests. The
 	// larger the number, the further instance metadata requests can travel.
 	//
@@ -370,6 +379,9 @@ func (obj *InstanceMetadataOptions) SetDefaults() {
 	if obj.HTTPEndpoint == "" {
 		obj.HTTPEndpoint = InstanceMetadataEndpointStateEnabled
 	}
+	if obj.HTTPProtocolIPv6 == "" {
+		obj.HTTPProtocolIPv6 = InstanceMetadataEndpointStateDisabled
+	}
 	if obj.HTTPPutResponseHopLimit == 0 {
 		obj.HTTPPutResponseHopLimit = 1
 	}
diff --git a/config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml b/config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml
@@ -1245,6 +1245,17 @@ spec:
                         - enabled
                         - disabled
                         type: string
+                      httpProtocolIpv6:
+                        default: disabled
+                        description: |-
+                          Enables or disables the IPv6 endpoint for the instance metadata service.
+                          This applies only if you enabled the HTTP metadata endpoint.
+
+                          Default: disabled
+                        enum:
+                        - enabled
+                        - disabled
+                        type: string
                       httpPutResponseHopLimit:
                         default: 1
                         description: |-
@@ -3424,6 +3435,17 @@ spec:
                         - enabled
                         - disabled
                         type: string
+                      httpProtocolIpv6:
+                        default: disabled
+                        description: |-
+                          Enables or disables the IPv6 endpoint for the instance metadata service.
+                          This applies only if you enabled the HTTP metadata endpoint.
+
+                          Default: disabled
+                        enum:
+                        - enabled
+                        - disabled
+                        type: string
                       httpPutResponseHopLimit:
                         default: 1
                         description: |-
diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusters.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusters.yaml
@@ -2227,6 +2227,17 @@ spec:
                         - enabled
                         - disabled
                         type: string
+                      httpProtocolIpv6:
+                        default: disabled
+                        description: |-
+                          Enables or disables the IPv6 endpoint for the instance metadata service.
+                          This applies only if you enabled the HTTP metadata endpoint.
+
+                          Default: disabled
+                        enum:
+                        - enabled
+                        - disabled
+                        type: string
                       httpPutResponseHopLimit:
                         default: 1
                         description: |-
diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsmachinepools.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsmachinepools.yaml
@@ -689,6 +689,17 @@ spec:
                         - enabled
                         - disabled
                         type: string
+                      httpProtocolIpv6:
+                        default: disabled
+                        description: |-
+                          Enables or disables the IPv6 endpoint for the instance metadata service.
+                          This applies only if you enabled the HTTP metadata endpoint.
+
+                          Default: disabled
+                        enum:
+                        - enabled
+                        - disabled
+                        type: string
                       httpPutResponseHopLimit:
                         default: 1
                         description: |-
diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsmachines.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsmachines.yaml
@@ -844,6 +844,17 @@ spec:
                     - enabled
                     - disabled
                     type: string
+                  httpProtocolIpv6:
+                    default: disabled
+                    description: |-
+                      Enables or disables the IPv6 endpoint for the instance metadata service.
+                      This applies only if you enabled the HTTP metadata endpoint.
+
+                      Default: disabled
+                    enum:
+                    - enabled
+                    - disabled
+                    type: string
                   httpPutResponseHopLimit:
                     default: 1
                     description: |-
diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsmachinetemplates.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsmachinetemplates.yaml
@@ -763,6 +763,17 @@ spec:
                             - enabled
                             - disabled
                             type: string
+                          httpProtocolIpv6:
+                            default: disabled
+                            description: |-
+                              Enables or disables the IPv6 endpoint for the instance metadata service.
+                              This applies only if you enabled the HTTP metadata endpoint.
+
+                              Default: disabled
+                            enum:
+                            - enabled
+                            - disabled
+                            type: string
                           httpPutResponseHopLimit:
                             default: 1
                             description: |-
diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsmanagedmachinepools.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsmanagedmachinepools.yaml
@@ -698,6 +698,17 @@ spec:
                         - enabled
                         - disabled
                         type: string
+                      httpProtocolIpv6:
+                        default: disabled
+                        description: |-
+                          Enables or disables the IPv6 endpoint for the instance metadata service.
+                          This applies only if you enabled the HTTP metadata endpoint.
+
+                          Default: disabled
+                        enum:
+                        - enabled
+                        - disabled
+                        type: string
                       httpPutResponseHopLimit:
                         default: 1
                         description: |-
diff --git a/controllers/awsmachine_controller_unit_test.go b/controllers/awsmachine_controller_unit_test.go
@@ -2733,6 +2733,7 @@ func TestAWSMachineReconcilerReconcileDefaultsToLoadBalancerTypeClassic(t *testi
 						},
 						MetadataOptions: &ec2types.InstanceMetadataOptionsResponse{
 							HttpEndpoint:            ec2types.InstanceMetadataEndpointState(string(infrav1.InstanceMetadataEndpointStateEnabled)),
+							HttpProtocolIpv6:        ec2types.InstanceMetadataProtocolState(string(infrav1.InstanceMetadataEndpointStateDisabled)),
 							HttpPutResponseHopLimit: aws.Int32(1),
 							HttpTokens:              ec2types.HttpTokensState(string(infrav1.HTTPTokensStateOptional)),
 							InstanceMetadataTags:    ec2types.InstanceMetadataTagsState(string(infrav1.InstanceMetadataEndpointStateDisabled)),
diff --git a/pkg/cloud/services/ec2/instances.go b/pkg/cloud/services/ec2/instances.go
@@ -927,6 +927,7 @@ func (s *Service) SDKToInstance(v types.Instance) (*infrav1.Instance, error) {
 		metadataOptions.HTTPEndpoint = infrav1.InstanceMetadataState(string(v.MetadataOptions.HttpEndpoint))
 		metadataOptions.HTTPTokens = infrav1.HTTPTokensState(string(v.MetadataOptions.HttpTokens))
 		metadataOptions.InstanceMetadataTags = infrav1.InstanceMetadataState(string(v.MetadataOptions.InstanceMetadataTags))
+		metadataOptions.HTTPProtocolIPv6 = infrav1.InstanceMetadataState(v.MetadataOptions.HttpProtocolIpv6)
 		if v.MetadataOptions.HttpPutResponseHopLimit != nil {
 			metadataOptions.HTTPPutResponseHopLimit = int64(*v.MetadataOptions.HttpPutResponseHopLimit)
 		}
@@ -1082,6 +1083,7 @@ func (s *Service) ModifyInstanceMetadataOptions(instanceID string, options *infr
 		HttpPutResponseHopLimit: utils.ToInt32Pointer(&options.HTTPPutResponseHopLimit),
 		HttpTokens:              types.HttpTokensState(string(options.HTTPTokens)),
 		InstanceMetadataTags:    types.InstanceMetadataTagsState(string(options.InstanceMetadataTags)),
+		HttpProtocolIpv6:        types.InstanceMetadataProtocolState(string(options.HTTPProtocolIPv6)),
 		InstanceId:              aws.String(instanceID),
 	}
 
@@ -1234,6 +1236,9 @@ func getInstanceMetadataOptionsRequest(metadataOptions *infrav1.InstanceMetadata
 	if metadataOptions.HTTPEndpoint != "" {
 		request.HttpEndpoint = types.InstanceMetadataEndpointState(string(metadataOptions.HTTPEndpoint))
 	}
+	if metadataOptions.HTTPProtocolIPv6 != "" {
+		request.HttpProtocolIpv6 = types.InstanceMetadataProtocolState(string(metadataOptions.HTTPProtocolIPv6))
+	}
 	if metadataOptions.HTTPPutResponseHopLimit != 0 {
 		request.HttpPutResponseHopLimit = utils.ToInt32Pointer(&metadataOptions.HTTPPutResponseHopLimit)
 	}
diff --git a/pkg/cloud/services/ec2/launchtemplate.go b/pkg/cloud/services/ec2/launchtemplate.go
@@ -854,11 +854,15 @@ func (s *Service) SDKToLaunchTemplate(d types.LaunchTemplateVersion) (*expinfrav
 			HTTPPutResponseHopLimit: utils.ToInt64Value(v.MetadataOptions.HttpPutResponseHopLimit),
 			HTTPTokens:              infrav1.HTTPTokensState(string(v.MetadataOptions.HttpTokens)),
 			HTTPEndpoint:            infrav1.InstanceMetadataEndpointStateEnabled,
+			HTTPProtocolIPv6:        infrav1.InstanceMetadataEndpointStateDisabled,
 			InstanceMetadataTags:    infrav1.InstanceMetadataEndpointStateDisabled,
 		}
 		if v.MetadataOptions.HttpEndpoint == types.LaunchTemplateInstanceMetadataEndpointStateDisabled {
 			i.InstanceMetadataOptions.HTTPEndpoint = infrav1.InstanceMetadataEndpointStateDisabled
 		}
+		if v.MetadataOptions.HttpProtocolIpv6 == types.LaunchTemplateInstanceMetadataProtocolIpv6Enabled {
+			i.InstanceMetadataOptions.HTTPProtocolIPv6 = infrav1.InstanceMetadataEndpointStateEnabled
+		}
 		if v.MetadataOptions.InstanceMetadataTags == types.LaunchTemplateInstanceMetadataTagsStateEnabled {
 			i.InstanceMetadataOptions.InstanceMetadataTags = infrav1.InstanceMetadataEndpointStateEnabled
 		}

Original file line number	Diff line number	Diff line change
`@@ -927,6 +927,7 @@ func (s Service) SDKToInstance(v types.Instance) (infrav1.Instance, error) {`
`927`	`927`	`metadataOptions.HTTPEndpoint = infrav1.InstanceMetadataState(string(v.MetadataOptions.HttpEndpoint))`
`928`	`928`	`metadataOptions.HTTPTokens = infrav1.HTTPTokensState(string(v.MetadataOptions.HttpTokens))`
`929`	`929`	`metadataOptions.InstanceMetadataTags = infrav1.InstanceMetadataState(string(v.MetadataOptions.InstanceMetadataTags))`
	`930`	`+ metadataOptions.HTTPProtocolIPv6 = infrav1.InstanceMetadataState(v.MetadataOptions.HttpProtocolIpv6)`
`930`	`931`	`if v.MetadataOptions.HttpPutResponseHopLimit != nil {`
`931`	`932`	`metadataOptions.HTTPPutResponseHopLimit = int64(*v.MetadataOptions.HttpPutResponseHopLimit)`
`932`	`933`	`}`
`@@ -1082,6 +1083,7 @@ func (s Service) ModifyInstanceMetadataOptions(instanceID string, options infr`
`1082`	`1083`	`HttpPutResponseHopLimit: utils.ToInt32Pointer(&options.HTTPPutResponseHopLimit),`
`1083`	`1084`	`HttpTokens: types.HttpTokensState(string(options.HTTPTokens)),`
`1084`	`1085`	`InstanceMetadataTags: types.InstanceMetadataTagsState(string(options.InstanceMetadataTags)),`
	`1086`	`+ HttpProtocolIpv6: types.InstanceMetadataProtocolState(string(options.HTTPProtocolIPv6)),`
`1085`	`1087`	`InstanceId: aws.String(instanceID),`
`1086`	`1088`	`}`
`1087`	`1089`
`@@ -1234,6 +1236,9 @@ func getInstanceMetadataOptionsRequest(metadataOptions *infrav1.InstanceMetadata`
`1234`	`1236`	`if metadataOptions.HTTPEndpoint != "" {`
`1235`	`1237`	`request.HttpEndpoint = types.InstanceMetadataEndpointState(string(metadataOptions.HTTPEndpoint))`
`1236`	`1238`	`}`
	`1239`	`+ if metadataOptions.HTTPProtocolIPv6 != "" {`
	`1240`	`+ request.HttpProtocolIpv6 = types.InstanceMetadataProtocolState(string(metadataOptions.HTTPProtocolIPv6))`
	`1241`	`+ }`
`1237`	`1242`	`if metadataOptions.HTTPPutResponseHopLimit != 0 {`
`1238`	`1243`	`request.HttpPutResponseHopLimit = utils.ToInt32Pointer(&metadataOptions.HTTPPutResponseHopLimit)`
`1239`	`1244`	`}`