ec2: support option HTTPProtocolIPv6 for EC2 IMDS

tthvo · tthvo · commit 1f6e29533fdf · 2025-08-13T13:30:27.000-07:00
The httpProtocolIPv6 field enables or disables the IPv6 endpoint of the
instance metadata service. The SDK only applies this field if
httpEndpoint is enabled.

When running on single-stack IPv6, pods only have IPv6, thus requiring
an IPv6 endpoint to query IMDS as IPv4 network is unreachable.
diff --git a/api/v1beta2/awsmachinetemplate_webhook_test.go b/api/v1beta2/awsmachinetemplate_webhook_test.go
@@ -127,6 +127,7 @@ func TestAWSMachineTemplateValidateUpdate(t *testing.T) {
 							InstanceType: "test",
 							InstanceMetadataOptions: &InstanceMetadataOptions{
 								HTTPEndpoint:            InstanceMetadataEndpointStateEnabled,
+								HTTPProtocolIPv6:        InstanceMetadataEndpointStateDisabled,
 								HTTPPutResponseHopLimit: 1,
 								HTTPTokens:              HTTPTokensStateOptional,
 								InstanceMetadataTags:    InstanceMetadataEndpointStateDisabled,
diff --git a/api/v1beta2/types.go b/api/v1beta2/types.go
@@ -360,6 +360,15 @@ type InstanceMetadataOptions struct {
 	// +kubebuilder:default=enabled
 	HTTPEndpoint InstanceMetadataState `json:"httpEndpoint,omitempty"`
 
+	// Enables or disables the IPv6 endpoint for the instance metadata service.
+	// This applies only if you enabled the HTTP metadata endpoint.
+	//
+	// Default: disabled
+	//
+	// +kubebuilder:validation:Enum:=enabled;disabled
+	// +kubebuilder:default=disabled
+	HTTPProtocolIPv6 InstanceMetadataState `json:"httpProtocolIpv6,omitempty"`
+
 	// The desired HTTP PUT response hop limit for instance metadata requests. The
 	// larger the number, the further instance metadata requests can travel.
 	//
@@ -406,6 +415,9 @@ func (obj *InstanceMetadataOptions) SetDefaults() {
 	if obj.HTTPEndpoint == "" {
 		obj.HTTPEndpoint = InstanceMetadataEndpointStateEnabled
 	}
+	if obj.HTTPProtocolIPv6 == "" {
+		obj.HTTPProtocolIPv6 = InstanceMetadataEndpointStateDisabled
+	}
 	if obj.HTTPPutResponseHopLimit == 0 {
 		obj.HTTPPutResponseHopLimit = 1
 	}
diff --git a/config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml b/config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml
@@ -1277,6 +1277,17 @@ spec:
                         - enabled
                         - disabled
                         type: string
+                      httpProtocolIpv6:
+                        default: disabled
+                        description: |-
+                          Enables or disables the IPv6 endpoint for the instance metadata service.
+                          This applies only if you enabled the HTTP metadata endpoint.
+
+                          Default: disabled
+                        enum:
+                        - enabled
+                        - disabled
+                        type: string
                       httpPutResponseHopLimit:
                         default: 1
                         description: |-
@@ -3489,6 +3500,17 @@ spec:
                         - enabled
                         - disabled
                         type: string
+                      httpProtocolIpv6:
+                        default: disabled
+                        description: |-
+                          Enables or disables the IPv6 endpoint for the instance metadata service.
+                          This applies only if you enabled the HTTP metadata endpoint.
+
+                          Default: disabled
+                        enum:
+                        - enabled
+                        - disabled
+                        type: string
                       httpPutResponseHopLimit:
                         default: 1
                         description: |-
diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusters.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusters.yaml
@@ -2259,6 +2259,17 @@ spec:
                         - enabled
                         - disabled
                         type: string
+                      httpProtocolIpv6:
+                        default: disabled
+                        description: |-
+                          Enables or disables the IPv6 endpoint for the instance metadata service.
+                          This applies only if you enabled the HTTP metadata endpoint.
+
+                          Default: disabled
+                        enum:
+                        - enabled
+                        - disabled
+                        type: string
                       httpPutResponseHopLimit:
                         default: 1
                         description: |-
diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsmachinepools.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsmachinepools.yaml
@@ -707,6 +707,17 @@ spec:
                         - enabled
                         - disabled
                         type: string
+                      httpProtocolIpv6:
+                        default: disabled
+                        description: |-
+                          Enables or disables the IPv6 endpoint for the instance metadata service.
+                          This applies only if you enabled the HTTP metadata endpoint.
+
+                          Default: disabled
+                        enum:
+                        - enabled
+                        - disabled
+                        type: string
                       httpPutResponseHopLimit:
                         default: 1
                         description: |-
diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsmachines.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsmachines.yaml
@@ -876,6 +876,17 @@ spec:
                     - enabled
                     - disabled
                     type: string
+                  httpProtocolIpv6:
+                    default: disabled
+                    description: |-
+                      Enables or disables the IPv6 endpoint for the instance metadata service.
+                      This applies only if you enabled the HTTP metadata endpoint.
+
+                      Default: disabled
+                    enum:
+                    - enabled
+                    - disabled
+                    type: string
                   httpPutResponseHopLimit:
                     default: 1
                     description: |-
diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsmachinetemplates.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsmachinetemplates.yaml
@@ -795,6 +795,17 @@ spec:
                             - enabled
                             - disabled
                             type: string
+                          httpProtocolIpv6:
+                            default: disabled
+                            description: |-
+                              Enables or disables the IPv6 endpoint for the instance metadata service.
+                              This applies only if you enabled the HTTP metadata endpoint.
+
+                              Default: disabled
+                            enum:
+                            - enabled
+                            - disabled
+                            type: string
                           httpPutResponseHopLimit:
                             default: 1
                             description: |-
diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsmanagedmachinepools.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsmanagedmachinepools.yaml
@@ -716,6 +716,17 @@ spec:
                         - enabled
                         - disabled
                         type: string
+                      httpProtocolIpv6:
+                        default: disabled
+                        description: |-
+                          Enables or disables the IPv6 endpoint for the instance metadata service.
+                          This applies only if you enabled the HTTP metadata endpoint.
+
+                          Default: disabled
+                        enum:
+                        - enabled
+                        - disabled
+                        type: string
                       httpPutResponseHopLimit:
                         default: 1
                         description: |-
diff --git a/controllers/awsmachine_controller_unit_test.go b/controllers/awsmachine_controller_unit_test.go
@@ -2733,6 +2733,7 @@ func TestAWSMachineReconcilerReconcileDefaultsToLoadBalancerTypeClassic(t *testi
 						},
 						MetadataOptions: &ec2types.InstanceMetadataOptionsResponse{
 							HttpEndpoint:            ec2types.InstanceMetadataEndpointState(string(infrav1.InstanceMetadataEndpointStateEnabled)),
+							HttpProtocolIpv6:        ec2types.InstanceMetadataProtocolState(string(infrav1.InstanceMetadataEndpointStateDisabled)),
 							HttpPutResponseHopLimit: aws.Int32(1),
 							HttpTokens:              ec2types.HttpTokensState(string(infrav1.HTTPTokensStateOptional)),
 							InstanceMetadataTags:    ec2types.InstanceMetadataTagsState(string(infrav1.InstanceMetadataEndpointStateDisabled)),
diff --git a/pkg/cloud/services/ec2/instances.go b/pkg/cloud/services/ec2/instances.go
@@ -962,6 +962,7 @@ func (s *Service) SDKToInstance(v types.Instance) (*infrav1.Instance, error) {
 		metadataOptions.HTTPEndpoint = infrav1.InstanceMetadataState(string(v.MetadataOptions.HttpEndpoint))
 		metadataOptions.HTTPTokens = infrav1.HTTPTokensState(string(v.MetadataOptions.HttpTokens))
 		metadataOptions.InstanceMetadataTags = infrav1.InstanceMetadataState(string(v.MetadataOptions.InstanceMetadataTags))
+		metadataOptions.HTTPProtocolIPv6 = infrav1.InstanceMetadataState(v.MetadataOptions.HttpProtocolIpv6)
 		if v.MetadataOptions.HttpPutResponseHopLimit != nil {
 			metadataOptions.HTTPPutResponseHopLimit = int64(*v.MetadataOptions.HttpPutResponseHopLimit)
 		}
@@ -1117,6 +1118,7 @@ func (s *Service) ModifyInstanceMetadataOptions(instanceID string, options *infr
 		HttpPutResponseHopLimit: utils.ToInt32Pointer(&options.HTTPPutResponseHopLimit),
 		HttpTokens:              types.HttpTokensState(string(options.HTTPTokens)),
 		InstanceMetadataTags:    types.InstanceMetadataTagsState(string(options.InstanceMetadataTags)),
+		HttpProtocolIpv6:        types.InstanceMetadataProtocolState(string(options.HTTPProtocolIPv6)),
 		InstanceId:              aws.String(instanceID),
 	}
 
@@ -1270,6 +1272,9 @@ func getInstanceMetadataOptionsRequest(metadataOptions *infrav1.InstanceMetadata
 	if metadataOptions.HTTPEndpoint != "" {
 		request.HttpEndpoint = types.InstanceMetadataEndpointState(string(metadataOptions.HTTPEndpoint))
 	}
+	if metadataOptions.HTTPProtocolIPv6 != "" {
+		request.HttpProtocolIpv6 = types.InstanceMetadataProtocolState(string(metadataOptions.HTTPProtocolIPv6))
+	}
 	if metadataOptions.HTTPPutResponseHopLimit != 0 {
 		request.HttpPutResponseHopLimit = utils.ToInt32Pointer(&metadataOptions.HTTPPutResponseHopLimit)
 	}
diff --git a/pkg/cloud/services/ec2/launchtemplate.go b/pkg/cloud/services/ec2/launchtemplate.go
@@ -903,11 +903,15 @@ func (s *Service) SDKToLaunchTemplate(d types.LaunchTemplateVersion) (*expinfrav
 			HTTPPutResponseHopLimit: utils.ToInt64Value(v.MetadataOptions.HttpPutResponseHopLimit),
 			HTTPTokens:              infrav1.HTTPTokensState(string(v.MetadataOptions.HttpTokens)),
 			HTTPEndpoint:            infrav1.InstanceMetadataEndpointStateEnabled,
+			HTTPProtocolIPv6:        infrav1.InstanceMetadataEndpointStateDisabled,
 			InstanceMetadataTags:    infrav1.InstanceMetadataEndpointStateDisabled,
 		}
 		if v.MetadataOptions.HttpEndpoint == types.LaunchTemplateInstanceMetadataEndpointStateDisabled {
 			i.InstanceMetadataOptions.HTTPEndpoint = infrav1.InstanceMetadataEndpointStateDisabled
 		}
+		if v.MetadataOptions.HttpProtocolIpv6 == types.LaunchTemplateInstanceMetadataProtocolIpv6Enabled {
+			i.InstanceMetadataOptions.HTTPProtocolIPv6 = infrav1.InstanceMetadataEndpointStateEnabled
+		}
 		if v.MetadataOptions.InstanceMetadataTags == types.LaunchTemplateInstanceMetadataTagsStateEnabled {
 			i.InstanceMetadataOptions.InstanceMetadataTags = infrav1.InstanceMetadataEndpointStateEnabled
 		}

Original file line number	Diff line number	Diff line change
`@@ -962,6 +962,7 @@ func (s Service) SDKToInstance(v types.Instance) (infrav1.Instance, error) {`
`962`	`962`	`metadataOptions.HTTPEndpoint = infrav1.InstanceMetadataState(string(v.MetadataOptions.HttpEndpoint))`
`963`	`963`	`metadataOptions.HTTPTokens = infrav1.HTTPTokensState(string(v.MetadataOptions.HttpTokens))`
`964`	`964`	`metadataOptions.InstanceMetadataTags = infrav1.InstanceMetadataState(string(v.MetadataOptions.InstanceMetadataTags))`
	`965`	`+ metadataOptions.HTTPProtocolIPv6 = infrav1.InstanceMetadataState(v.MetadataOptions.HttpProtocolIpv6)`
`965`	`966`	`if v.MetadataOptions.HttpPutResponseHopLimit != nil {`
`966`	`967`	`metadataOptions.HTTPPutResponseHopLimit = int64(*v.MetadataOptions.HttpPutResponseHopLimit)`
`967`	`968`	`}`
`@@ -1117,6 +1118,7 @@ func (s Service) ModifyInstanceMetadataOptions(instanceID string, options infr`
`1117`	`1118`	`HttpPutResponseHopLimit: utils.ToInt32Pointer(&options.HTTPPutResponseHopLimit),`
`1118`	`1119`	`HttpTokens: types.HttpTokensState(string(options.HTTPTokens)),`
`1119`	`1120`	`InstanceMetadataTags: types.InstanceMetadataTagsState(string(options.InstanceMetadataTags)),`
	`1121`	`+ HttpProtocolIpv6: types.InstanceMetadataProtocolState(string(options.HTTPProtocolIPv6)),`
`1120`	`1122`	`InstanceId: aws.String(instanceID),`
`1121`	`1123`	`}`
`1122`	`1124`
`@@ -1270,6 +1272,9 @@ func getInstanceMetadataOptionsRequest(metadataOptions *infrav1.InstanceMetadata`
`1270`	`1272`	`if metadataOptions.HTTPEndpoint != "" {`
`1271`	`1273`	`request.HttpEndpoint = types.InstanceMetadataEndpointState(string(metadataOptions.HTTPEndpoint))`
`1272`	`1274`	`}`
	`1275`	`+ if metadataOptions.HTTPProtocolIPv6 != "" {`
	`1276`	`+ request.HttpProtocolIpv6 = types.InstanceMetadataProtocolState(string(metadataOptions.HTTPProtocolIPv6))`
	`1277`	`+ }`
`1273`	`1278`	`if metadataOptions.HTTPPutResponseHopLimit != 0 {`
`1274`	`1279`	`request.HttpPutResponseHopLimit = utils.ToInt32Pointer(&metadataOptions.HTTPPutResponseHopLimit)`
`1275`	`1280`	`}`