Add workflow file to test ipv6 only in GKE

Author: shaun-nx

.github/workflows/ci.yml

@@ -301,6 +301,22 @@ jobs:
       image: ${{ matrix.image }}
       k8s-version: ${{ matrix.k8s-version }}
 
+  gke-ipv6-only-tests:
+    name: GKE IPv6 Only Tests
+    needs: [vars, build-oss]
+    strategy:
+      fail-fast: false
+      matrix:
+        image: [nginx]
+        k8s-version:
+          [
+            "${{ needs.vars.outputs.k8s_latest }}",
+          ]
+    uses: ./.github/workflows/gke-ipv6-only.yml
+    with:
+      image: ${{ matrix.image }}
+      k8s-version: ${{ matrix.k8s-version }}
+
   conformance-tests:
     name: Conformance tests
     needs: [vars, build-oss, build-plus]

.github/workflows/gke-ipv6-only.yml

@@ -0,0 +1,269 @@
+name: GKE IPv6-Only Testing
+
+on:
+  workflow_call:
+    inputs:
+      image:
+        required: true
+        type: string
+      k8s-version:
+        required: true
+        type: string
+
+defaults:
+  run:
+    shell: bash
+
+env:
+  PLUS_USAGE_ENDPOINT: ${{ secrets.JWT_PLUS_REPORTING_ENDPOINT }}
+
+permissions:
+  contents: read
+
+jobs:
+  ipv6-only-tests:
+    name: Run IPv6-Only Tests
+    runs-on: ubuntu-24.04
+    if: ${{ !github.event.pull_request.head.repo.fork || inputs.image != 'plus' }}
+    env:
+      DOCKER_BUILD_SUMMARY: false
+    steps:
+      - name: Checkout Repository
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        with:
+          fetch-depth: 0
+
+      - name: Authenticate to Google Cloud
+        id: auth
+        uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
+        with:
+          token_format: access_token
+          workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY }}
+          service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
+
+      - name: Login to GAR
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+        with:
+          registry: us-docker.pkg.dev
+          username: oauth2accesstoken
+          password: ${{ steps.auth.outputs.access_token }}
+
+      - name: Set up Cloud SDK
+        uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3.0.1
+        with:
+          project_id: ${{ secrets.GCP_PROJECT_ID }}
+          install_components: kubectl
+
+      - name: Create GKE cluster
+        working-directory: ./tests
+        run: make create-gke-cluster CI=true IPv6_ONLY=true
+
+      - name: Create and setup VM
+        working-directory: ./tests
+        run: make create-and-setup-vm
+
+      - name: Create and setup Router
+        working-directory: ./tests
+        run: make create-gke-router || true
+          
+      - name: Configure GOPROXY
+        id: goproxy
+        run: |
+          if [[ "${{ secrets.ARTIFACTORY_USER }}" == "" ]]; then
+          GOPROXY_VALUE="direct"
+          else
+          GOPROXY_VALUE="https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@${{ secrets.ARTIFACTORY_DEV_ENDPOINT }}"
+          fi
+          echo "GOPROXY=${GOPROXY_VALUE}" >> $GITHUB_ENV
+
+      - name: Setup Golang Environment
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        with:
+          go-version: stable
+
+      - name: Set GOPATH
+        run: echo "GOPATH=$(go env GOPATH)" >> $GITHUB_ENV
+
+      - name: Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+
+      - name: NGF Docker meta
+        id: ngf-meta
+        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+        with:
+          images: |
+            name=ghcr.io/nginx/nginx-gateway-fabric
+          tags: |
+            type=semver,pattern={{version}}
+            type=schedule
+            type=edge
+            type=ref,event=pr
+            type=ref,event=branch,suffix=-rc,enable=${{ startsWith(github.ref, 'refs/heads/release') }}
+          
+      - name: NGINX Docker meta
+        id: nginx-meta
+        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+        with:
+          images: |
+            name=ghcr.io/nginx/nginx-gateway-fabric/${{ inputs.image == 'plus' && 'nginx-plus' || inputs.image }}
+          tags: |
+            type=semver,pattern={{version}}
+            type=edge
+            type=schedule
+            type=ref,event=pr
+            type=ref,event=branch,suffix=-rc,enable=${{ startsWith(github.ref, 'refs/heads/release') }}
+
+      - name: Build binary
+        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
+        with:
+          version: v2.12.0 # renovate: datasource=github-tags depName=goreleaser/goreleaser
+          args: 
+            build --single-target --snapshot --clean --config=goreleaser.yml
+        env:
+          TELEMETRY_ENDPOINT: otel-collector-opentelemetry-collector.collector.svc.cluster.local:4317
+          TELEMETRY_ENDPOINT_INSECURE: "true"
+
+      - name: Build NGF Docker Image
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          file: build/Dockerfile
+          tags: ${{ steps.ngf-meta.outputs.tags }}
+          context: "."
+          load: true
+          cache-from: type=gha,scope=ngf
+          pull: true
+          target: goreleaser
+
+      - name: Build NGINX Docker Image
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          file: build/Dockerfile${{ inputs.image == 'nginx' && '.nginx' || '' }}${{ inputs.image == 'plus' && '.nginxplus' || ''}}
+          tags: ${{ steps.nginx-meta.outputs.tags }}
+          context: "."
+          load: true
+          cache-from: type=gha,scope=${{ inputs.image }}-ipv6
+          pull: true
+          build-args: |
+            NJS_DIR=internal/controller/nginx/modules/src
+            NGINX_CONF_DIR=internal/controller/nginx/conf
+            BUILD_AGENT=gha
+
+      # - name: Setup license file for plus
+      #   if: ${{ inputs.image == 'plus' }}
+      #   env:
+      #     PLUS_LICENSE: ${{ secrets.JWT_PLUS_REPORTING }}
+      #   run: echo "${PLUS_LICENSE}" > license.jwt
+
+      # - name: Deploy IPv6-Only Kubernetes
+      #   id: k8s
+      #   run: |
+      #     # Enable IPv6 and container network options
+      #     # sudo sysctl -w net.ipv6.conf.all.disable_ipv6=0
+      #     # sudo sysctl -w net.ipv6.conf.all.forwarding=1
+
+      #     # Create IPv6-only kind cluster
+      #     kind create cluster \
+      #     --name ${{ github.run_id }}-ipv6 \
+      #     --image=kindest/node:${{ inputs.k8s-version }} \
+      #     --config=config/cluster/kind-ipv6-only.yaml
+
+      #     # Load images into the cluster
+      #     kind load docker-image ${{ join(fromJSON(steps.ngf-meta.outputs.json).tags, ' ') }} ${{ join(fromJSON(steps.nginx-meta.outputs.json).tags, ' ') }} --name ${{ github.run_id }}-ipv6
+
+      #     # Verify nodes are ipv6 only
+      #     kubectl get nodes -o wide
+
+      - name: Push Docker Images to GAR
+        # if: ${{ github.event_name != 'pull_request' }}
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: "."
+          push: true
+          tags: |
+            ${{ steps.ngf-meta.outputs.tags }}
+            ${{ steps.nginx-meta.outputs.tags }}
+
+      - name: Install NGF with IPv6 Configuration
+        run: |
+          ngf_prefix=ghcr.io/nginx/nginx-gateway-fabric
+          ngf_tag=${{ steps.ngf-meta.outputs.version }}
+          # Install with IPv6-specific configuration
+          CLUSTER_NAME=${{ github.run_id }}-ipv6 \
+          HELM_PARAMETERS="--set nginx.config.ipFamily=ipv6 --set nginx.service.type=ClusterIP" \
+          make helm-install-local${{ inputs.image == 'plus' && '-with-plus' || ''}} PREFIX=${ngf_prefix} TAG=${ngf_tag}
+        working-directory: ./tests
+
+      - name: Deploy Test Applications
+        run: |
+          kubectl apply -f tests/manifests/ipv6-test-app.yaml
+
+      - name: Wait for NGF and Applications to be Ready
+        run: |
+          echo "Waiting for NGF to be ready..."
+          kubectl wait --for=condition=available --timeout=300s deployment/nginx-gateway -n nginx-gateway
+          echo "Waiting for test applications to be ready..."
+          kubectl wait --for=condition=available --timeout=300s deployment/test-app-ipv6
+
+      - name: Deploy IPv6 Test Client
+        run: |
+          kubectl apply -f tests/manifests/test-client-ipv6.yaml
+          kubectl wait --for=condition=ready --timeout=300s pod/ipv6-test-client
+
+      - name: Get NGF IPv6 Address
+        id: ngf-address
+        run: |
+          # Get the NGF service IPv6 address
+          NGF_IPV6=$(kubectl get service nginx-gateway -n nginx-gateway -o jsonpath='{.spec.clusterIP}')
+          echo "NGF IPv6 Address: $NGF_IPV6"
+          echo "ngf_ipv6=$NGF_IPV6" >> $GITHUB_OUTPUT
+
+      - name: Run IPv6 Connectivity Tests
+        run: |
+          echo "=== Running IPv6-Only Tests ==="
+          # Test 1: Basic connectivity test using test client pod
+          echo "Test 1: Basic IPv6 connectivity"
+          kubectl exec ipv6-test-client -- curl --version
+          kubectl exec ipv6-test-client -- nslookup nginx-gateway.nginx-gateway.svc.cluster.local
+          # Test 2: Test NGF service directly via IPv6
+          echo "Test 2: NGF Service IPv6 connectivity"
+          kubectl exec ipv6-test-client -- curl -6 --connect-timeout 30 --max-time 60 -v \
+          -H "Host: ipv6-test.example.com" \
+          "http://[${{ steps.ngf-address.outputs.ngf_ipv6 }}]:80/" || echo "Direct NGF test failed"
+          # Test 3: Test via service DNS
+          echo "Test 3: Service DNS IPv6 connectivity"
+          kubectl exec ipv6-test-client -- curl -6 --connect-timeout 30 --max-time 60 -v \
+          -H "Host: ipv6-test.example.com" \
+          "http://nginx-gateway.nginx-gateway.svc.cluster.local:80/" || echo "Service DNS test failed"
+
+      - name: Validate IPv6-Only Configuration
+        run: |
+          echo "=== Validating IPv6-Only Configuration ==="
+          # Check NGF configuration
+          echo "NGF Pod IPv6 addresses:"
+          kubectl get pods -n nginx-gateway -o wide
+          echo "NGF Service configuration:"
+          kubectl get service nginx-gateway -n nginx-gateway -o yaml
+          echo "Gateway and HTTPRoute status:"
+          kubectl get gateway,httproute -A -o wide
+          echo "Test application service configuration:"
+          kubectl get service test-app-ipv6-service -o yaml
+
+      - name: Collect Logs
+        if: always()
+        run: |
+          echo "=== Collecting logs for debugging ==="
+          echo "NGF Controller logs:"
+          kubectl logs -n nginx-gateway deployment/nginx-gateway -c nginx-gateway-controller --tail=100 || true
+          echo "NGINX logs:"
+          kubectl logs -n nginx-gateway deployment/nginx-gateway -c nginx --tail=100 || true
+          echo "Test client logs:"
+          kubectl logs ipv6-test-client --tail=100 || true
+          echo "Cluster events:"
+          kubectl get events --sort-by='.lastTimestamp' --all-namespaces --tail=50 || true
+          
+      - name: Cleanup
+        if: always()
+        env:
+          RUN_ID: ${{ github.run_id }}
+        run: |
+          kind delete cluster --name "$RUN_ID-ipv6" || true

.github/workflows/ipv6-only.yml

@@ -66,6 +66,7 @@ jobs:
             type=edge
             type=ref,event=pr
             type=ref,event=branch,suffix=-rc,enable=${{ startsWith(github.ref, 'refs/heads/release') }}
+
       - name: NGINX Docker meta
         id: nginx-meta
         uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
@@ -78,6 +79,7 @@ jobs:
             type=schedule
             type=ref,event=pr
             type=ref,event=branch,suffix=-rc,enable=${{ startsWith(github.ref, 'refs/heads/release') }}
+
       - name: Build binary
         uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
         with:
@@ -112,6 +114,7 @@ jobs:
             NJS_DIR=internal/controller/nginx/modules/src
             NGINX_CONF_DIR=internal/controller/nginx/conf
             BUILD_AGENT=gha
+
       - name: Setup license file for plus
         if: ${{ inputs.image == 'plus' }}
         env:
@@ -136,6 +139,7 @@ jobs:
 
           # Verify nodes are ipv6 only
           kubectl get nodes -o wide
+
       - name: Install NGF with IPv6 Configuration
         run: |
           ngf_prefix=ghcr.io/nginx/nginx-gateway-fabric
@@ -144,6 +148,7 @@ jobs:
           CLUSTER_NAME=${{ github.run_id }}-ipv6 \
           HELM_PARAMETERS="--set nginx.config.ipFamily=ipv6 --set nginx.service.type=ClusterIP" \
           make helm-install-local${{ inputs.image == 'plus' && '-with-plus' || ''}} PREFIX=${ngf_prefix} TAG=${ngf_tag}
+
         working-directory: ./tests
 
       - name: Deploy Test Applications
@@ -213,6 +218,7 @@ jobs:
           kubectl logs ipv6-test-client --tail=100 || true
           echo "Cluster events:"
           kubectl get events --sort-by='.lastTimestamp' --all-namespaces --tail=50 || true
+          
       - name: Cleanup
         if: always()
         env:

tests/Makefile

@@ -1,4 +1,5 @@
 CI ?= false
+IPv6_ONLY ?= false
 CLUSTER_NAME ?= kind
 CONFORMANCE_PREFIX = conformance-test-runner## Prefix for the conformance test runner image
 CONFORMANCE_TAG = latest## Tag for the conformance test runner image
@@ -90,7 +91,7 @@ setup-gcp-and-run-nfr-tests: create-gke-router create-and-setup-vm nfr-test ## C
 
 .PHONY: create-gke-cluster
 create-gke-cluster: ## Create a GKE cluster
-	./scripts/create-gke-cluster.sh $(CI)
+	./scripts/create-gke-cluster.sh $(CI) $(IPv6_ONLY)
 
 .PHONY: create-and-setup-vm
 create-and-setup-vm: ## Create and setup a GCP VM for tests

tests/scripts/create-gke-cluster.sh

@@ -8,6 +8,17 @@ ip_random_digit=$((1 + RANDOM % 250))
 
 IS_CI=${1:-false}
 
+IPV6_ENABLE=${2:-${IPV6_ENABLE:-false}}
+
+IPV6_FLAGS=""
+if [ "$IPV6_ENABLE" = "true" ]; then
+  IPV6_FLAGS="\
+    --enable-ipv6 \
+    --cluster-ipv6-cidr=fd00:1234::/56 \
+    --services-ipv6-cidr=fd00:4321::/112 \
+    --create-subnetwork name=\"${GKE_CLUSTER_NAME}-subnet\",range=10.0.0.0/16,fd00:abcd::/64,stack-type=IPV4_IPV6"
+fi
+
 if [ -z "$GKE_MACHINE_TYPE" ]; then
     # If the environment variable is not set, use a default value
     GKE_MACHINE_TYPE="e2-medium"
@@ -31,7 +42,8 @@ gcloud container clusters create "${GKE_CLUSTER_NAME}" \
     --logging=SYSTEM,WORKLOAD \
     --machine-type "${GKE_MACHINE_TYPE}" \
     --num-nodes "${GKE_NUM_NODES}" \
-    --no-enable-insecure-kubelet-readonly-port
+    --no-enable-insecure-kubelet-readonly-port \
+    $IPV6_FLAGS
 
 # Add current IP to GKE master control node access, if this script is not invoked during a CI run.
 if [ "${IS_CI}" = "false" ]; then