docs: add dualstack cluster support documentation

Add new dualstack cluster template and documentation updates
for IPv6 and dualstack cluster configurations. Additionally, docs for
configuring API LB's target group IP type is also added.

New cluster templates and calico manifest are included for creating
dualstack clusters.

Author: tthvo

docs/book/src/topics/eks/ipv6-enabled-cluster.md

@@ -0,0 +1 @@
+# Enabling IPv6

docs/book/src/topics/ipv6-enabled-cluster.md

@@ -2,22 +2,41 @@
 
 ## Overview
 
-CAPA enables you to create an IPv6 Kubernetes clusters on Amazon Web Service (AWS).
+CAPA enables you to create IPv6 and dualstack (IPv4 + IPv6) Kubernetes clusters on Amazon Web Service (AWS) on a dualstack network infrastructure.
 
-Only single-stack IPv6 clusters are supported. However, CAPA utilizes a dual stack infrastructure (e.g. dual stack VPC) to support IPv6. In fact, it is the only mode of operation at the time of writing.
+## Prerequisites
 
-> **IMPORTANT NOTE**: Dual stack clusters are not yet supported.
+The instance types for control plane and worker machines must support IPv6. To see a list of instance types that support IPv6 in your region, run the following command:
 
-## Prerequisites
+```bash
+aws ec2 describe-instance-types \
+  --region <region> \
+  --filters "Name=network-info.ipv6-supported,Values=true" \
+  --query 'InstanceTypes[].InstanceType'
+```
 
-The instance types for control plane and worker machines must be [Nitro-based](https://docs.aws.amazon.com/ec2/latest/instancetypes/ec2-nitro-instances.html) in order to support IPv6. To see a list of Nitro instance types in your region, run the following command:
+If you want to check whether a specific instance type supports IPv6, run the following command:
 
 ```bash
 aws ec2 describe-instance-types \
-  --filters Name=hypervisor,Values=nitro \
-  --query="InstanceTypes[*].InstanceType"
+  --region <region> \
+  --instance-types <instance-type> \
+  --query 'InstanceTypes[0].NetworkInfo.Ipv6Supported'
+```
+
+## Enabling IPv6 capabilities
+
+To instruct CAPA to configure IPv6 capabilities for the network infrastructure, you must explicitly define `spec.network.vpc.ipv6` in either `AWSCluster` (for self-managed clusters) or `AWSManagedControlPlane` (for EKS clusters). See [IPv6 CIDR Allocations](#ipv6-cidr-allocations) for different IPv6 CIDR configuration options.
+
+```yaml
+spec:
+  network:
+    vpc:
+      ipv6: {}
 ```
 
+**Note:** CAPA, by default, will provision a dualstack infrastructure (i.e. dualstack VPC and subnets). However, your Kubernetes cluster can be configured as either IPv6-only or dualstack depending on your pod/service CIDR configuration.
+
 ## Creating IPv6 EKS-managed Clusters
 
 To quickly deploy an IPv6 EKS cluster, use the [IPv6 EKS cluster template](https://raw.githubusercontent.com/kubernetes-sigs/cluster-api-provider-aws/refs/heads/main/templates/cluster-template-eks-ipv6.yaml).
@@ -26,12 +45,11 @@ To quickly deploy an IPv6 EKS cluster, use the [IPv6 EKS cluster template](https
 
 <h1>Warning</h1>
 
-You can't define custom Pod CIDRs on EKS with IPv6. EKS automatically assigns an address range from a unique local
-address range of `fc00::/7`.
+EKS currently only supports IPv6-only clusters (not dualstack). You can't define custom Pod CIDRs on EKS with IPv6. EKS automatically assigns an address range from a unique local address range of `fc00::/7`.
 
 </aside>
 
-**Notes**: All addons **must** be enabled. A working cluster configuration looks like this:
+**Notes**: All addons **must** be enabled. A working IPv6 cluster configuration defines `spec.network.vpc.ipv6` and all addons as followed:
 
 ```yaml
 kind: AWSManagedControlPlane
@@ -47,56 +65,151 @@ spec:
   version: "${KUBERNETES_VERSION}"
   addons:
     - name: "vpc-cni"
-      version: "v1.11.0-eksbuild.1"
+      version: "v1.11.0-eksbuild.1"  # Note: Check for latest compatible version
       # this is important, otherwise environment property update will not work
       conflictResolution: "overwrite"
     - name: "coredns"
-      version: "v1.8.7-eksbuild.1"
+      version: "v1.8.7-eksbuild.1"  # Note: Check for latest compatible version
     - name: "kube-proxy"
-      version: "v1.22.6-eksbuild.1"
+      version: "v1.22.6-eksbuild.1"  # Note: Check for latest compatible version
 ```
 
 ## Creating IPv6 Self-managed Clusters
 
 To quickly deploy an IPv6 self-managed cluster, use the [IPv6 cluster template](https://raw.githubusercontent.com/kubernetes-sigs/cluster-api-provider-aws/refs/heads/main/templates/cluster-template-ipv6.yaml).
 
-When creating a self-managed cluster, you can define the Pod and Service CIDR. For example, you can define ULA IPv6 range `fd01::/48` for pod networking and `fd02::/112` for service networking.
+When creating a self-managed cluster, you can define the IPv6 Pod and Service CIDR. For example, you can define ULA IPv6 range `fd01::/48` for pod networking and `fd02::/112` for service networking.
+
+```yaml
+apiVersion: cluster.x-k8s.io/v1beta1
+kind: Cluster
+metadata:
+  name: "${CLUSTER_NAME}"
+spec:
+  clusterNetwork:
+    pods:
+      cidrBlocks:
+      - fd01::/48
+    services:
+      cidrBlocks:
+      - fd02::/112
+```
 
 <aside class="note warning">
 
 <h1>Warning</h1>
 
-**Action required**: Since coredns pods run on the single-stack IPv6 pod network, they will fail to resolve non-cluster DNS queries
-via the IPv4 upstream nameserver in `/etc/resolv.conf`.
+**DNS64/NAT64**: If you are configuring CAPA to create dualstack private subnets (by default) for an IPv6 cluster and need IPv6-only pods to reach IPv4-only internet services, you must enable [DNS64/NAT64](https://docs.aws.amazon.com/vpc/latest/userguide/nat-gateway-nat64-dns64.html) as CAPA does not do so.
 
-The workaround is to edit the `coredns` ConfigMap to use Route53 Resolver nameserver `fd00:ec2::253`, by setting `forward . /etc/resolv.conf` part to `forward . fd00:ec2::253 /etc/resolv.conf`.
+**CoreDNS**: Since CoreDNS pods run on the single-stack IPv6 pod network, they will fail to resolve non-cluster DNS queries via the IPv4 upstream nameserver in `/etc/resolv.conf`.
+
+The workaround is to edit the `coredns` ConfigMap in namespace `kube-system` to use Route53 Resolver IPv6 nameserver `fd00:ec2::253`, by setting `forward . /etc/resolv.conf` part to `forward . fd00:ec2::253 /etc/resolv.conf`.
   ```bash
   kubectl -n kube-system edit cm/coredns
   ```
+
+**Note**: This CoreDNS workaround is NOT required for dualstack clusters where pods have both IPv4 and IPv6 addresses.
+
+</aside>
+
+## Creating Dualstack Self-managed Clusters
+
+To quickly deploy a dualstack self-managed cluster, use the [Dualstack cluster template](https://raw.githubusercontent.com/kubernetes-sigs/cluster-api-provider-aws/refs/heads/main/templates/cluster-template-dualstack.yaml).
+
+When creating a self-managed cluster, you can define both IPv4 and IPv6 Pod and Service CIDRs. For example:
+
+```yaml
+apiVersion: cluster.x-k8s.io/v1beta1
+kind: Cluster
+metadata:
+  name: "${CLUSTER_NAME}"
+spec:
+  clusterNetwork:
+    pods:
+      cidrBlocks:
+      - 192.168.0.0/16
+      - fd01::/48
+    services:
+      cidrBlocks:
+      - 172.30.0.0/16
+      - fd02::/112
+```
+
+## Cloud Controller Manager IPv6 Support for Self-managed Clusters
+
+<aside class="note warning">
+<h1>Warning</h1>
+
+The AWS Cloud Controller Manager (CCM) does not currently support dualstack Load Balancers. When creating Services of type LoadBalancer in a dualstack cluster, they will be
+assigned addresses from only one IP family.
 </aside>
 
-### CNI IPv6 support
+**Node IP addresses**: You need to provide cloud-config to the CCM via a ConfigMap to set the `NodeIPFamilies` to include IPv6. This instructs the CCM to consider IPv6 in the node's network interface. If not, the CCM will only consider node's IPv4. This causes nodes to have only IPv4 and new pods with `hostNetwork: true` will only pick up the node's IPv4 address.
 
-By default, no CNI plugin is installed when provisioning a self-managed cluster. You need to install your own CNI solution that supports IPv6, for example, Calico with VXLAN.
+For example, provide the following ConfigMap to `cloud-controller-manager-addon`:
 
-You can find the guides to enable [IPv6](https://docs.tigera.io/calico/latest/networking/ipam/ipv6#ipv6) and [VXLAN](https://docs.tigera.io/calico/latest/networking/configuring/vxlan-ipip) support for Calico on their official documentation. Or you can use a customized Calico manifests [here](https://raw.githubusercontent.com/kubernetes-sigs/cluster-api-provider-aws/refs/heads/main/test/e2e/data/cni/calico_ipv6.yaml) for IPv6.
+```yaml
+apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: cloud-config
+    namespace: kube-system
+  data:
+    cloud-config.conf: |
+      [Global]
+      NodeIPFamilies=ipv4
+      NodeIPFamilies=ipv6
+```
+
+And then provide the `cloud-config.conf` to the CCM DaemonSet as follows:
 
-**Note**: If you are using Calico as the CNI provider, ensure the CNI ingress rule allows VXLAN. You can set the rule in the `AWSCluster` resource, for example:
+```yaml
+spec:
+  containers:
+  - name: aws-cloud-controller-manager
+    image: registry.k8s.io/provider-aws/cloud-controller-manager:v1.28.3
+    args:
+      - --v=2
+      - --cloud-provider=aws
+      - --use-service-account-credentials=true
+      - --configure-cloud-routes=false
+      - --cloud-config=/etc/kubernetes/cloud-config.conf # Define cloud-config file path
+    volumeMounts:
+    - name: cloud-config
+      mountPath: /etc/kubernetes/cloud-config.conf
+      subPath: cloud-config.conf
+  hostNetwork: true
+  volumes:
+  - name: cloud-config
+    configMap:
+      name: cloud-config
+```
+
+## CNI IPv6 Support for Self-managed Clusters
+
+By default, no CNI plugin is installed when provisioning a self-managed cluster. You need to install your own CNI solution that supports IPv6, for example, Calico with VXLAN. You can find the guides to enable [IPv6](https://docs.tigera.io/calico/latest/networking/ipam/ipv6) and [VXLAN](https://docs.tigera.io/calico/latest/networking/configuring/vxlan-ipip) support for Calico on their official documentation.
+
+**Important notes for Calico with IPv6**:
+- Calico supports IPv6 with VXLAN encapsulation only (IP-in-IP is not supported for IPv6)
+- VXLAN for IPv6 requires kernel version ≥ 4.19.1 (or Red Hat kernel ≥ 4.18.0)
+- If you are using Calico as the CNI provider, ensure the CNI ingress rule allows VXLAN for cross-subnet communications. You can set the rule in the `AWSCluster` resource, for example:
 ```yaml
 spec:
   network:
     cni:
       cniIngressRules:
       # If using Calico as CNI provider, this rule is required.
       # Note: Calico currently supports IPv6 with VXLAN.
-      - description: "IPv6 VXLAN (calico)"
+      - description: "VXLAN (calico)"
         protocol: udp
         fromPort: 4789
         toPort: 4789
 ```
 
 ## IPv6 CIDR Allocations
 
+CAPA supports various methods to allocate an IPv6 CIDR to the cluster VPC.
+
 ### AWS-assigned IPv6 VPC CIDR
 
 To request AWS to automatically assign an IPv6 CIDR from an AWS defined address pool, use the following setting:
@@ -108,7 +221,11 @@ spec:
       ipv6: {}
 ```
 
-### BYOIPv6 VPC CIDR
+By default, Amazon provides one fixed size (`/56`) IPv6 CIDR block to a VPC.
+
+### Bring-your-own IPv6 VPC CIDR (EC2)
+
+If you own an IPv6 address space, you can import it into AWS EC2 IPv6 address pool (See [guide](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html#byoip-requirements)). After importing it, you can assign /56 ranges from the space to individual VPCs in the same account.
 
 To define your own IPv6 address pool and CIDR set the following values:
 
@@ -121,11 +238,25 @@ spec:
         cidrBlock: "2009:1234:ff00::/56"
 ```
 
-There must already be a provisioned pool and a set of IPv6 CIDRs for that.
+### Bring-your-own IPv6 VPC CIDR via VPC Address Manager (VPC IPAM)
+
+If you want to allocate an IPv6 CIDR to the VPC from an existing VPC IPAM pool, define the pool ID and a prefix length as followed:
+
+```yaml
+spec:
+  network:
+    vpc:
+      ipv6:
+        ipamPool:
+          id: ipam-pool-id
+          netmaskLength: 56
+```
+
+By default, if you omit `netmaskLength`, CAPA will set it to the default `56`.
 
-### BYO IPv6 VPC
+### Bring-your-own IPv6 VPC
 
-If you have a dual stack VPC (i.e. CAPA will only use IPv6 for the cluster in this configuration) and you would like to use it, please define it in the `AWSCluster` specs:
+If you have an existing dualstack VPC that you would like to use, you must explicitly provide the IPv6 CIDR block and egress-only internet gateway ID specs:
 
 ```yaml
 spec:
@@ -138,7 +269,93 @@ spec:
         egressOnlyInternetGatewayId: eigw-1234567890abcdefg
 ```
 
-This has to be done explicitly because otherwise, it would break in the following two scenarios:
-- During an upgrade from 1.5 to >=2.0 where the VPC is ipv6 enabled, but CAPA was only recently made aware.
-- During a migration on the VPC, switching it from only IPv4 to Dual Stack (it would see that ipv6 is enabled and
-  enforce it while doing that would not have been the intention of the user).
+This has to be done to explicitly express the user intention to use the IPv6 capabilities of the VPC.
+
+## Mixing subnets of different IP families
+
+CAPA allows you to define the AZs the subnets should be created in, the number of subnets per AZ and whether a subnet is IPv4, dualstack, or IPv6-only. For example:
+
+```yaml
+spec:
+  network:
+    subnets:
+      # This creates a dualstack public subnet in us-east-1a
+      # Both cidrBlock + isIPv6==true
+    - cidrBlock: 10.0.0.0/20 
+      isIpv6: true
+      isPublic: true
+      availabilityZone: us-east-1a
+      id: ${CLUSTER_NAME}-subnet-public-us-east-1a
+    # This creates a dualstack public subnet in us-east-1b
+    # Both cidrBlock + isIPv6==true
+    - cidrBlock: 10.0.16.0/20
+      isIpv6: true
+      isPublic: true
+      availabilityZone: us-east-1b
+      id: ${CLUSTER_NAME}-subnet-public-us-east-1b
+    # This creates an IPv4 private subnet in us-east-1a
+    # Only cidrBlock defined + isIpv6==false (default)
+    - cidrBlock: 10.0.128.0/20 
+      isPublic: false
+      availabilityZone: us-east-1a
+      id: ${CLUSTER_NAME}-subnet-private-us-east-1a
+    # This creates an IPv6-only private subnet in us-east-1a
+    # cidrBlock is undefined + isIpv6==true
+    - isPublic: false
+      isIpv6: true
+      availabilityZone: us-east-1a
+      id: ${CLUSTER_NAME}-subnet-private-1-us-east-1a
+    # This creates an IPv4 private subnet in us-east-1b
+    # Only cidrBlock defined + isIpv6==false (default)
+    - cidrBlock: 10.0.144.0/20
+      isPublic: false
+      availabilityZone: us-east-1b
+      id: ${CLUSTER_NAME}-subnet-private-us-east-1b
+    # This creates an IPv6-only private subnet in us-east-1b
+    # cidrBlock is undefined + isIpv6==true
+    - isPublic: false
+      isIpv6: true
+      availabilityZone: us-east-1b
+      id: ${CLUSTER_NAME}-subnet-private-1-us-east-1b
+    vpc:
+      cidrBlock: 10.0.0.0/16
+      # The VPC IPv6 CIDR will be allocated by AWS.
+      ipv6: {}
+  region: us-east-1
+```
+
+A subnet IP specification is defined as follows (applied to managed VPC only):
+
+| Subnet Type | `isIPv6` | `cidrBlock` | `ipv6CidrBlock` | Notes |
+|-------------|----------|-------------|-----------------|-------|
+| **IPv4-only** | `false` or omitted | Required | N/A | Traditional IPv4 subnet |
+| **Dualstack** | `true` | Required | Optional | Auto-assigned from VPC CIDR if omitted |
+| **IPv6-only** | `true` | Omitted/empty | Optional | Auto-assigned from VPC CIDR if omitted |
+
+## IPv6 support for Local and Wavelength zones
+
+According to the AWS docs, the state of IPv6 support is as followed:
+
+- ❌ No IPv6 support for Wavelength zones. See [reference](https://docs.aws.amazon.com/wavelength/latest/developerguide/wavelength-quotas.html#vpc-considerations).
+- Limited support for Local zones, which requires a dedicate IPv6 CIDR for local zone network border group. See [reference](https://docs.aws.amazon.com/local-zones/latest/ug/how-local-zones-work.html#considerations).
+
+Thus, CAPA currently does not support creating IPv6-enabled subnets in Local and Wavelength zones.
+
+However, if you have an existing VPC with IPv6-only or dualstack subnets in Local zones, you can define them in the cluster spec.
+
+
+```yaml
+spec:
+  network:
+    subnets:
+    - id: "cluster-subnet-private-us-east-1-nyc-1a"
+    - id: "cluster-subnet-public-us-east-1-nyc-1a"
+    - id: "cluster-subnet-private-us-east-1-wl1-was-wlz-1"
+    - id: "cluster-subnet-public-us-east-1-wl1-was-wlz-1"
+    vpc:
+      id: vpc-1234567890abcdefg
+      cidrBlock: 10.0.0.0/16
+      ipv6:
+        cidrBlock: "2001:1234:ff00::/56"
+        egressOnlyInternetGatewayId: eigw-1234567890abcdefg
+```