sg: allow both ipv4 and ipv6 cidrs to API LB if vpc ipv6 block is defined

When AWSCluster.spec.network.vpc.ipv6 is non-nil, most handlers in CAPA
treats it as "adding" IPv6 capabilities on top of IPv4 infrastructure.
Except security group ingress rules for API LB.

This commit aligns the API LB SG handler with the rest of the code base.

These rules can be overriden in the AWSCluster LB spec to allow only
IPv6 CIDRs if needed.

Author: tthvo

pkg/cloud/services/securitygroup/securitygroups.go

@@ -994,19 +994,7 @@ func (s *Service) getControlPlaneLBIngressRules() infrav1.IngressRules {
 }
 
 func (s *Service) getIngressRuleToAllowAnyIPInTheAPIServer() infrav1.IngressRules {
-	if s.scope.VPC().IsIPv6Enabled() {
-		return infrav1.IngressRules{
-			{
-				Description:    "Kubernetes API IPv6",
-				Protocol:       infrav1.SecurityGroupProtocolTCP,
-				FromPort:       int64(s.scope.APIServerPort()),
-				ToPort:         int64(s.scope.APIServerPort()),
-				IPv6CidrBlocks: []string{services.AnyIPv6CidrBlock},
-			},
-		}
-	}
-
-	return infrav1.IngressRules{
+	rules := infrav1.IngressRules{
 		{
 			Description: "Kubernetes API",
 			Protocol:    infrav1.SecurityGroupProtocolTCP,
@@ -1015,22 +1003,20 @@ func (s *Service) getIngressRuleToAllowAnyIPInTheAPIServer() infrav1.IngressRule
 			CidrBlocks:  []string{services.AnyIPv4CidrBlock},
 		},
 	}
+	if s.scope.VPC().IsIPv6Enabled() {
+		rules = append(rules, infrav1.IngressRule{
+			Description:    "Kubernetes API IPv6",
+			Protocol:       infrav1.SecurityGroupProtocolTCP,
+			FromPort:       int64(s.scope.APIServerPort()),
+			ToPort:         int64(s.scope.APIServerPort()),
+			IPv6CidrBlocks: []string{services.AnyIPv6CidrBlock},
+		})
+	}
+	return rules
 }
 
 func (s *Service) getIngressRuleToAllowVPCCidrInTheAPIServer() infrav1.IngressRules {
-	if s.scope.VPC().IsIPv6Enabled() {
-		return infrav1.IngressRules{
-			{
-				Description:    "Kubernetes API IPv6",
-				Protocol:       infrav1.SecurityGroupProtocolTCP,
-				FromPort:       int64(s.scope.APIServerPort()),
-				ToPort:         int64(s.scope.APIServerPort()),
-				IPv6CidrBlocks: []string{s.scope.VPC().IPv6.CidrBlock},
-			},
-		}
-	}
-
-	return infrav1.IngressRules{
+	rules := infrav1.IngressRules{
 		{
 			Description: "Kubernetes API",
 			Protocol:    infrav1.SecurityGroupProtocolTCP,
@@ -1039,6 +1025,16 @@ func (s *Service) getIngressRuleToAllowVPCCidrInTheAPIServer() infrav1.IngressRu
 			CidrBlocks:  []string{s.scope.VPC().CidrBlock},
 		},
 	}
+	if s.scope.VPC().IsIPv6Enabled() {
+		rules = append(rules, infrav1.IngressRule{
+			Description:    "Kubernetes API IPv6",
+			Protocol:       infrav1.SecurityGroupProtocolTCP,
+			FromPort:       int64(s.scope.APIServerPort()),
+			ToPort:         int64(s.scope.APIServerPort()),
+			IPv6CidrBlocks: []string{s.scope.VPC().IPv6.CidrBlock},
+		})
+	}
+	return rules
 }
 
 func (s *Service) processIngressRulesSGs(ingressRules []infrav1.IngressRule) (infrav1.IngressRules, error) {

pkg/cloud/services/securitygroup/securitygroups_test.go

@@ -1607,7 +1607,7 @@ func TestControlPlaneLoadBalancerIngressRules(t *testing.T) {
 			},
 		},
 		{
-			name: "when no ingress rules are passed and nat gateway IPs are not available, the default for IPv6 is set",
+			name: "when no ingress rules are passed and nat gateway IPs are not available with vpc ipv6 block is defined, the default for IPv4 and IPv6 are set",
 			awsCluster: &infrav1.AWSCluster{
 				Spec: infrav1.AWSClusterSpec{
 					ControlPlaneLoadBalancer: &infrav1.AWSLoadBalancerSpec{},
@@ -1621,6 +1621,13 @@ func TestControlPlaneLoadBalancerIngressRules(t *testing.T) {
 				Status: infrav1.AWSClusterStatus{},
 			},
 			expectedIngresRules: infrav1.IngressRules{
+				infrav1.IngressRule{
+					Description: "Kubernetes API",
+					Protocol:    infrav1.SecurityGroupProtocolTCP,
+					FromPort:    6443,
+					ToPort:      6443,
+					CidrBlocks:  []string{services.AnyIPv4CidrBlock},
+				},
 				infrav1.IngressRule{
 					Description:    "Kubernetes API IPv6",
 					Protocol:       infrav1.SecurityGroupProtocolTCP,
@@ -1748,20 +1755,35 @@ func TestControlPlaneLoadBalancerIngressRules(t *testing.T) {
 					},
 					NetworkSpec: infrav1.NetworkSpec{
 						VPC: infrav1.VPCSpec{
+							CidrBlock: "10.0.0.0/16",
 							IPv6: &infrav1.IPv6{
-								CidrBlock: "10.0.0.0/16",
+								CidrBlock: "2001:1234:5678:9a40::/56",
 							},
 						},
 					},
 				},
 			},
 			expectedIngresRules: infrav1.IngressRules{
+				infrav1.IngressRule{
+					Description: "Kubernetes API",
+					Protocol:    infrav1.SecurityGroupProtocolTCP,
+					FromPort:    6443,
+					ToPort:      6443,
+					CidrBlocks:  []string{"10.0.0.0/16"},
+				},
 				infrav1.IngressRule{
 					Description:    "Kubernetes API IPv6",
 					Protocol:       infrav1.SecurityGroupProtocolTCP,
 					FromPort:       6443,
 					ToPort:         6443,
-					IPv6CidrBlocks: []string{"10.0.0.0/16"},
+					IPv6CidrBlocks: []string{"2001:1234:5678:9a40::/56"},
+				},
+				infrav1.IngressRule{
+					Description: "Kubernetes API",
+					Protocol:    infrav1.SecurityGroupProtocolTCP,
+					FromPort:    6443,
+					ToPort:      6443,
+					CidrBlocks:  []string{services.AnyIPv4CidrBlock},
 				},
 				infrav1.IngressRule{
 					Description:    "Kubernetes API IPv6",