cni: set default CNI ingress rules for IPv6 support

tthvo · tthvo · commit b1e9bd8352c6 · 2025-08-05T11:04:58.000-07:00
Calico does not support IP-in-IP on IPv6. The users must configure
Calico to use VXLAN instead. This adds the necessary default ingress
rule for VXLAN.
diff --git a/api/v1beta2/defaults.go b/api/v1beta2/defaults.go
@@ -50,6 +50,17 @@ func SetDefaults_NetworkSpec(obj *NetworkSpec) { //nolint:golint,stylecheck
 				},
 			},
 		}
+		// To support IPv6, calico must be configured to use VXLAN.
+		// According to https://github.com/projectcalico/calico/issues/5206,
+		// IP-in-IP is not yet supported on IPv6.
+		if obj.VPC.IsIPv6Enabled() {
+			obj.CNI.CNIIngressRules = append(obj.CNI.CNIIngressRules, CNIIngressRule{
+				Description: "VXLAN (calico)",
+				Protocol:    SecurityGroupProtocolUDP,
+				FromPort:    4789,
+				ToPort:      4789,
+			})
+		}
 	}
 }
 

Original file line number	Diff line number	Diff line change
`@@ -50,6 +50,17 @@ func SetDefaults_NetworkSpec(obj *NetworkSpec) { //nolint:golint,stylecheck`
`50`	`50`	`},`
`51`	`51`	`},`
`52`	`52`	`}`
	`53`	`+ // To support IPv6, calico must be configured to use VXLAN.`
	`54`	`+ // According to https://github.com/projectcalico/calico/issues/5206,`
	`55`	`+ // IP-in-IP is not yet supported on IPv6.`
	`56`	`+ if obj.VPC.IsIPv6Enabled() {`
	`57`	`+ obj.CNI.CNIIngressRules = append(obj.CNI.CNIIngressRules, CNIIngressRule{`
	`58`	`+ Description: "VXLAN (calico)",`
	`59`	`+ Protocol: SecurityGroupProtocolUDP,`
	`60`	`+ FromPort: 4789,`
	`61`	`+ ToPort: 4789,`
	`62`	`+ })`
	`63`	`+ }`
`53`	`64`	`}`
`54`	`65`	`}`
`55`	`66`