fix: host readiness probe on ipv6 in addition to ipv4 (#3765)

lucasl0st · web-flow · commit 9d7d164c5015 · 2025-08-20T15:31:36.000-06:00
Problem: the readiness probe endpoint is not available on IPv6. This is
a problem on IPv6 only clusters when using IPv6 for the pod network. The
gateway pod refuses to come up because the readyz condition never
fulfills.
Example: 
```
Warning  Unhealthy  88s (x160 over 26m)  kubelet            Readiness probe failed: Get "http://[fdd3:7046:2ad5:430a:39bb:bc6d:e254:a621]:8081/readyz": dial tcp [fdd3:7046:2ad5:430a:39bb:bc6d:e254:a621]:8081: connect: connection refused
```

Solution: host the readyz endpoint on IPv6 as well.
diff --git a/internal/controller/nginx/config/base_http_config.go b/internal/controller/nginx/config/base_http_config.go
@@ -12,8 +12,9 @@ var baseHTTPTemplate = gotemplate.Must(gotemplate.New("baseHttp").Parse(baseHTTP
 
 type httpConfig struct {
 	Includes                []shared.Include
-	HTTP2                   bool
 	NginxReadinessProbePort int32
+	IPFamily                shared.IPFamily
+	HTTP2                   bool
 }
 
 func executeBaseHTTPConfig(conf dataplane.Configuration) []executeResult {
@@ -23,6 +24,7 @@ func executeBaseHTTPConfig(conf dataplane.Configuration) []executeResult {
 		HTTP2:                   conf.BaseHTTPConfig.HTTP2,
 		Includes:                includes,
 		NginxReadinessProbePort: conf.BaseHTTPConfig.NginxReadinessProbePort,
+		IPFamily:                getIPFamily(conf.BaseHTTPConfig),
 	}
 
 	results := make([]executeResult, 0, len(includes)+1)
diff --git a/internal/controller/nginx/config/base_http_config_template.go b/internal/controller/nginx/config/base_http_config_template.go
@@ -26,7 +26,12 @@ map $request_uri $request_uri_path {
 
 # NGINX health check server block.
 server {
+		{{- if $.IPFamily.IPv4 }}
     listen {{ .NginxReadinessProbePort }};
+		{{- end }}
+		{{- if $.IPFamily.IPv6 }}
+    listen [::]:{{ .NginxReadinessProbePort }};
+		{{- end }}
 
     location = /readyz {
         access_log off;
diff --git a/internal/controller/nginx/config/base_http_config_test.go b/internal/controller/nginx/config/base_http_config_test.go
@@ -117,30 +117,71 @@ func TestExecuteBaseHttp_NginxReadinessProbePort(t *testing.T) {
 		},
 	}
 
-	customConfig := dataplane.Configuration{
+	customPortConfig := dataplane.Configuration{
 		BaseHTTPConfig: dataplane.BaseHTTPConfig{
 			NginxReadinessProbePort: 9090,
 		},
 	}
 
+	customIPv4Config := dataplane.Configuration{
+		BaseHTTPConfig: dataplane.BaseHTTPConfig{
+			NginxReadinessProbePort: dataplane.DefaultNginxReadinessProbePort,
+			IPFamily:                dataplane.IPv4,
+		},
+	}
+
+	customIPv6Config := dataplane.Configuration{
+		BaseHTTPConfig: dataplane.BaseHTTPConfig{
+			NginxReadinessProbePort: dataplane.DefaultNginxReadinessProbePort,
+			IPFamily:                dataplane.IPv6,
+		},
+	}
+
 	tests := []struct {
-		name           string
-		expectedPort   string
-		expectedListen string
-		conf           dataplane.Configuration
+		name             string
+		expectedPort     string
+		expectedListen   string
+		expectedNoListen string
+		conf             dataplane.Configuration
 	}{
 		{
 			name:           "default nginx readiness probe port",
 			conf:           defaultConfig,
 			expectedPort:   "8081",
 			expectedListen: "listen 8081;",
 		},
+		{
+			name:           "default nginx readiness probe port on ipv6",
+			conf:           defaultConfig,
+			expectedPort:   "8081",
+			expectedListen: "listen [::]:8081;",
+		},
 		{
 			name:           "custom nginx readiness probe 9090",
-			conf:           customConfig,
+			conf:           customPortConfig,
 			expectedPort:   "9090",
 			expectedListen: "listen 9090;",
 		},
+		{
+			name:           "custom nginx readiness probe 9090 on ipv6",
+			conf:           customPortConfig,
+			expectedPort:   "9090",
+			expectedListen: "listen [::]:9090;",
+		},
+		{
+			name:             "custom ipv4 nginx readiness probe does not have ipv6 listen",
+			conf:             customIPv4Config,
+			expectedPort:     "8081",
+			expectedListen:   "listen 8081;",
+			expectedNoListen: "listen [::]:8081;",
+		},
+		{
+			name:             "custom ipv6 nginx readiness probe does not have ipv4 listen",
+			conf:             customIPv6Config,
+			expectedPort:     "8081",
+			expectedListen:   "listen [::]:8081;",
+			expectedNoListen: "listen 8081;",
+		},
 	}
 
 	for _, test := range tests {
@@ -156,6 +197,11 @@ func TestExecuteBaseHttp_NginxReadinessProbePort(t *testing.T) {
 			// check that the listen directive contains the expected port
 			g.Expect(httpConfig).To(ContainSubstring(test.expectedListen))
 
+			// check that an additional listen directive is NOT set
+			if test.expectedNoListen != "" {
+				g.Expect(httpConfig).ToNot(ContainSubstring(test.expectedNoListen))
+			}
+
 			// check that the health check server block is present
 			g.Expect(httpConfig).To(ContainSubstring("server {"))
 			g.Expect(httpConfig).To(ContainSubstring("access_log off;"))
