Skip to content

✨ IPv6 support for self-managed clusters #5603

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 23 commits into
base: main
Choose a base branch
from
+33,480 −5,671
Open

✨ IPv6 support for self-managed clusters #5603

Changes from 1 commit
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
7949ccb
validations: allow IPv6 configurations for unmanaged clusters
tthvo Jul 22, 2025
c1bafb0
ec2: enable primary IPv6 on ENI for EC2 instances
tthvo Jul 22, 2025
842f85a
ec2: support option HTTPProtocolIPv6 for EC2 IMDS
tthvo Jul 22, 2025
60308b2
routing: ensure routes to eigw are up to date
tthvo Jul 22, 2025
7826e7e
subnets: configure default subnets to use NAT64/DNS64
tthvo Jul 23, 2025
987bc9c
securitygroup: ensure icmpv6 is supported
tthvo Jul 23, 2025
7bbae60
securitygroup: allow setting allowed IPv6 CIDR for node NodePort serv…
tthvo Jul 28, 2025
cd6c178
securitygroup: allow configuring IPv6 source CIDRs for bastion SSH
tthvo Jul 28, 2025
1ebffda
crd: add IPv6 of bastion host to cluster status
tthvo Jul 30, 2025
2c7e1e4
template: manifest templates for IPv6-enabled cluster
tthvo Jul 29, 2025
da96854
cni: customized calico manifests for single-stack IPv6
tthvo Jul 29, 2025
cd7c9b2
docs: add documentations for enabling IPv6 in non-eks clusters
tthvo Jul 29, 2025
def75f2
validations: validate vpc and subnet CIDR
tthvo Aug 5, 2025
9851222
docs: update doc for enabling ipv6
tthvo Aug 6, 2025
ea41d67
cni: document the requirement for calico ipv6 support
tthvo Aug 8, 2025
bfbbb84
subnets: wait till IPv6 CIDR is associated with subnets
tthvo Sep 19, 2025
4d38ed3
sg: allow both ipv4 and ipv6 cidrs to API LB if vpc ipv6 block is def…
tthvo Sep 29, 2025
e5e3ad3
crd: clarify isIpv6 field on subnet spec
tthvo Jul 29, 2025
04d4286
api: add spec field to configure target group ipType
tthvo Oct 2, 2025
b8ca23a
subnets: auto-assign IPv6 CIDR blocks to subnets when not specified
tthvo Oct 6, 2025
3292f75
vpc: ipam pool under vpc.ipv6 should be used for VPC IPv6 CIDR
tthvo Oct 9, 2025
78cb9d4
subnets: only enable DNS64 for IPv6-only subnets
tthvo Oct 10, 2025
061134a
docs: add dualstack cluster support documentation
tthvo Oct 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 49 additions & 7 deletions pkg/cloud/services/ec2/instances.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -585,14 +585,25 @@ func (s *Service) runInstance(role string, i *infrav1.Instance) (*infrav1.Instan

input.NetworkInterfaces = netInterfaces
} else {
input.NetworkInterfaces = []types.InstanceNetworkInterfaceSpecification{
{
DeviceIndex: aws.Int32(0),
SubnetId: aws.String(i.SubnetID),
Groups: i.SecurityGroupIDs,
AssociatePublicIpAddress: i.PublicIPOnLaunch,
},
netInterface := types.InstanceNetworkInterfaceSpecification{
DeviceIndex: aws.Int32(0),
SubnetId: aws.String(i.SubnetID),
Groups: i.SecurityGroupIDs,
AssociatePublicIpAddress: i.PublicIPOnLaunch,
}

// When registering targets by instance ID for an IPv6 target group, the targets must have an assigned primary IPv6 address.
// Use case: registering controlplane nodes to the API LBs.
enablePrimaryIpv6, err := s.shouldEnablePrimaryIpv6(i)
if err != nil {
return nil, fmt.Errorf("failed to determine whether to enable PrimaryIpv6 for instance: %w", err)
}
if enablePrimaryIpv6 {
netInterface.PrimaryIpv6 = aws.Bool(true)
netInterface.Ipv6AddressCount = aws.Int32(1)
}

input.NetworkInterfaces = []types.InstanceNetworkInterfaceSpecification{netInterface}
}

if i.NetworkInterfaceType != "" {
Expand Down Expand Up @@ -1307,3 +1318,34 @@ func getInstanceCPUOptionsRequest(cpuOptions infrav1.CPUOptions) *types.CpuOptio

return request
}

func (s *Service) shouldEnablePrimaryIpv6(i *infrav1.Instance) (bool, error) {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This method is making the assumption that when IPv6 is enabled, IPv6 would be the primary. If correct, could you please add that as a comment to this method?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, PrimaryIpv6 attribute will be enabled on the instances when spec.network.vpc.ipv6 is non-nil (i.e. user intention to use IPv6) and the subnet to launch the instance has IPv6 (i.e. IPv6-only or dualstack).

I will add the above comment in. Thanks!

var enablePrimaryIpv6 bool

// We should enable IPv6 capabilities only when the users explicitly configure so.
if !s.scope.VPC().IsIPv6Enabled() {
return false, nil
}

sn := s.scope.Subnets().FindByID(i.SubnetID)
if sn != nil {
enablePrimaryIpv6 = sn.IsIPv6
} else {
// The subnet is in a different VPC than the cluster VPC. Then, we query AWS API.
sns, err := s.getFilteredSubnets(types.Filter{Name: aws.String("subnet-id"), Values: []string{i.SubnetID}})
if err != nil {
return false, fmt.Errorf("failed to find subnet info with id %q for instance: %w", i.SubnetID, err)
}
if len(sns) == 0 {
return false, fmt.Errorf("expected subnet %q for instance to exist, but found none", i.SubnetID)
}
for _, set := range sns[0].Ipv6CidrBlockAssociationSet {
if set.Ipv6CidrBlockState.State == types.SubnetCidrBlockStateCodeAssociated {
enablePrimaryIpv6 = true
break
}
}
}

return enablePrimaryIpv6, nil
}