Add support for target group IP address type configuration IPv4, IPv6 (#770)

Implement support for configuring target group IP address types (ipv4 or
ipv6) in Network Load Balancer (NLB) and Application Load Balancer (ALB)
configurations.

Changes:
- Add --target-group-ip-addr-type CLI flag to specify target group IP
address type
- Add targetGroupIPAddressType field to Adapter for storing the
configuration
- Update CloudFormation templates to include
TargetGroupIPAddressTypeParameter

This feature allows dual-stack NLB to be connected with IPv6 address
type target groups.


Signed-off-by: speruri <surya.srikar.peruri@zalando.de>

Author: ayruslore

README.md

@@ -40,9 +40,16 @@ This information is used to manage AWS resources for each ingress objects of the
 - Suppport for `ipv4` and `dualstack` ip address types for ALB and NLB
     - set default ip address type for both ALB and NLB using `--ip-addr-type=dualstack`
     - set specific ip address type for a particular ALB or NLB by using the annotation `alb.ingress.kubernetes.io/ip-address-type: dualstack` in the ingress of the resource
+- Support for `ipv4` and `ipv6` target group IP address types for ALB and NLB
+    - set default target group IP address type using `--target-group-ip-address-type=ipv6`
+    - IPv6 targets require dualstack load balancers (`--ip-addr-type=dualstack`)
 
 ## Upgrade
 
+### <v0.19 to >=v0.19
+
+Version `v0.19` adds support for IPv6 target group IP address type. When using IPv6 targets, ensure your load balancer is configured as dualstack (`--ip-addr-type=dualstack` or `alb.ingress.kubernetes.io/ip-address-type: dualstack`). IPv4-only load balancers cannot route to IPv6 targets and will fail with a clear error message.
+
 ### <v0.18.0 to >=v0.18.0
 
 Version `v0.18.0` vendors-in https://github.com/mweagle/go-cloudformation library to enable addition of missing CloudFormation features.

VERSION

@@ -1 +1 @@
-v0.18
+v0.19

aws/adapter.go

@@ -63,6 +63,7 @@ type Adapter struct {
 	controllerID                string
 	sslPolicy                   string
 	ipAddressType               string
+	targetGroupIPAddressType    string
 	albLogsS3Bucket             string
 	albLogsS3Prefix             string
 	nlbZoneAffinity             string
@@ -118,6 +119,8 @@ const (
 	DefaultSslPolicy = "ELBSecurityPolicy-2016-08"
 	// DefaultIpAddressType sets IpAddressType to "ipv4", it is either ipv4 or dualstack
 	DefaultIpAddressType = "ipv4"
+	// DefaultTargetGroupIPAddressType sets TargetGroupIPAddressType to "ipv4", it is either ipv4 or ipv6
+	DefaultTargetGroupIPAddressType = "ipv4"
 	// DefaultAlbS3LogsBucket is a blank string, and must be set if enabled
 	DefaultAlbS3LogsBucket = ""
 	// DefaultAlbS3LogsPrefix is a blank string, and optionally set if desired
@@ -138,6 +141,7 @@ const (
 	LoadBalancerTypeApplication = "application"
 	LoadBalancerTypeNetwork     = "network"
 	IPAddressTypeIPV4           = "ipv4"
+	IPAddressTypeIPV6           = "ipv6"
 	IPAddressTypeDualstack      = "dualstack"
 
 	TargetAccessModeAWSCNI   = "AWSCNI"
@@ -263,6 +267,7 @@ func NewAdapter(ctx context.Context, clusterID, newControllerID, vpcID string, d
 		controllerID:               newControllerID,
 		sslPolicy:                  DefaultSslPolicy,
 		ipAddressType:              DefaultIpAddressType,
+		targetGroupIPAddressType:   DefaultTargetGroupIPAddressType,
 		albLogsS3Bucket:            DefaultAlbS3LogsBucket,
 		albLogsS3Prefix:            DefaultAlbS3LogsPrefix,
 		nlbCrossZone:               DefaultNLBCrossZone,
@@ -442,6 +447,15 @@ func (a *Adapter) WithIpAddressType(ipAddressType string) *Adapter {
 	return a
 }
 
+// WithTargetGroupIPAddressType returns the receiver with ipv4 or ipv6 configuration for target groups, defaults to ipv4.
+func (a *Adapter) WithTargetGroupIPAddressType(ipAddressType string) *Adapter {
+	switch ipAddressType {
+	case IPAddressTypeIPV4, IPAddressTypeIPV6:
+		a.targetGroupIPAddressType = ipAddressType
+	}
+	return a
+}
+
 // WithAlbLogsS3Bucket returns the receiver adapter after changing the S3 bucket for logging
 func (a *Adapter) WithAlbLogsS3Bucket(bucket string) *Adapter {
 	a.albLogsS3Bucket = bucket
@@ -784,6 +798,10 @@ func (a *Adapter) CreateStack(ctx context.Context, certificateARNs []string, sch
 		return "", fmt.Errorf("invalid SSLPolicy '%s' defined", sslPolicy)
 	}
 
+	if ipAddressType == IPAddressTypeIPV4 && a.targetGroupIPAddressType == IPAddressTypeIPV6 {
+		return "", fmt.Errorf("cannot use %s target group with %s load balancer; use dualstack load balancer for IPv6 targets", a.targetGroupIPAddressType, ipAddressType)
+	}
+
 	spec := &stackSpec{
 		name:            a.stackName(),
 		scheme:          scheme,
@@ -814,6 +832,7 @@ func (a *Adapter) CreateStack(ctx context.Context, certificateARNs []string, sch
 		controllerID:                      a.controllerID,
 		sslPolicy:                         sslPolicy,
 		ipAddressType:                     ipAddressType,
+		targetGroupIPAddressType:          a.targetGroupIPAddressType,
 		loadbalancerType:                  loadBalancerType,
 		albLogsS3Bucket:                   a.albLogsS3Bucket,
 		albLogsS3Prefix:                   a.albLogsS3Prefix,
@@ -841,6 +860,10 @@ func (a *Adapter) UpdateStack(ctx context.Context, stackName string, certificate
 		return "", fmt.Errorf("invalid SSLPolicy '%s' defined", sslPolicy)
 	}
 
+	if ipAddressType == IPAddressTypeIPV4 && a.targetGroupIPAddressType == IPAddressTypeIPV6 {
+		return "", fmt.Errorf("invalid TargetGroupIPAddressType %q defined for IPAddressType %q", a.targetGroupIPAddressType, ipAddressType)
+	}
+
 	spec := &stackSpec{
 		name:            stackName,
 		scheme:          scheme,
@@ -871,6 +894,7 @@ func (a *Adapter) UpdateStack(ctx context.Context, stackName string, certificate
 		controllerID:                      a.controllerID,
 		sslPolicy:                         sslPolicy,
 		ipAddressType:                     ipAddressType,
+		targetGroupIPAddressType:          a.targetGroupIPAddressType,
 		loadbalancerType:                  loadBalancerType,
 		albLogsS3Bucket:                   a.albLogsS3Bucket,
 		albLogsS3Prefix:                   a.albLogsS3Prefix,

aws/cf.go

@@ -21,23 +21,24 @@ const (
 
 // Stack is a simple wrapper around a CloudFormation Stack.
 type Stack struct {
-	Name              string
-	status            types.StackStatus
-	statusReason      string
-	LoadBalancerARN   string
-	DNSName           string
-	Scheme            string
-	SecurityGroup     string
-	SSLPolicy         string
-	IpAddressType     string
-	LoadBalancerType  string
-	HTTP2             bool
-	OwnerIngress      string
-	CWAlarmConfigHash string
-	TargetGroupARNs   []string
-	WAFWebACLID       string
-	CertificateARNs   map[string]time.Time
-	tags              map[string]string
+	Name                     string
+	status                   types.StackStatus
+	statusReason             string
+	LoadBalancerARN          string
+	DNSName                  string
+	Scheme                   string
+	SecurityGroup            string
+	SSLPolicy                string
+	IpAddressType            string
+	LoadBalancerType         string
+	HTTP2                    bool
+	OwnerIngress             string
+	CWAlarmConfigHash        string
+	TargetGroupARNs          []string
+	WAFWebACLID              string
+	CertificateARNs          map[string]time.Time
+	tags                     map[string]string
+	targetGroupIPAddressType string
 }
 
 // IsComplete returns true if the stack status is a complete state.
@@ -151,6 +152,7 @@ const (
 	parameterTargetGroupTargetPortParameter          = "TargetGroupTargetPortParameter"
 	parameterTargetGroupHTTPTargetPortParameter      = "TargetGroupHTTPTargetPortParameter"
 	parameterTargetGroupVPCIDParameter               = "TargetGroupVPCIDParameter"
+	parameterTargetGroupIPAddressTypeParameter       = "TargetGroupIPAddressTypeParameter"
 	parameterListenerSslPolicyParameter              = "ListenerSslPolicyParameter"
 	parameterIpAddressTypeParameter                  = "IpAddressType"
 	parameterLoadBalancerTypeParameter               = "Type"
@@ -183,6 +185,7 @@ type stackSpec struct {
 	controllerID                      string
 	sslPolicy                         string
 	ipAddressType                     string
+	targetGroupIPAddressType          string
 	loadbalancerType                  string
 	albLogsS3Bucket                   string
 	albLogsS3Prefix                   string
@@ -241,6 +244,7 @@ func createStack(ctx context.Context, svc CloudFormationAPI, spec *stackSpec) (s
 			cfParam(parameterLoadBalancerSubnetsParameter, strings.Join(spec.subnets, ",")),
 			cfParam(parameterTargetGroupVPCIDParameter, spec.vpcID),
 			cfParam(parameterTargetGroupTargetPortParameter, fmt.Sprintf("%d", spec.targetPort)),
+			cfParam(parameterTargetGroupIPAddressTypeParameter, spec.targetGroupIPAddressType),
 			cfParam(parameterListenerSslPolicyParameter, spec.sslPolicy),
 			cfParam(parameterIpAddressTypeParameter, spec.ipAddressType),
 			cfParam(parameterLoadBalancerTypeParameter, spec.loadbalancerType),
@@ -317,6 +321,7 @@ func updateStack(ctx context.Context, svc CloudFormationAPI, spec *stackSpec) (s
 			cfParam(parameterTargetGroupVPCIDParameter, spec.vpcID),
 			cfParam(parameterTargetGroupTargetPortParameter, fmt.Sprintf("%d", spec.targetPort)),
 			cfParam(parameterListenerSslPolicyParameter, spec.sslPolicy),
+			cfParam(parameterTargetGroupIPAddressTypeParameter, spec.targetGroupIPAddressType),
 			cfParam(parameterIpAddressTypeParameter, spec.ipAddressType),
 			cfParam(parameterLoadBalancerTypeParameter, spec.loadbalancerType),
 			cfParam(parameterHTTP2Parameter, fmt.Sprintf("%t", spec.http2)),
@@ -490,24 +495,30 @@ func mapToManagedStack(stack *types.Stack) *Stack {
 		http2 = false
 	}
 
+	targetGroupIPAddressType := parameters[parameterTargetGroupIPAddressTypeParameter]
+	if targetGroupIPAddressType == "" {
+		targetGroupIPAddressType = DefaultTargetGroupIPAddressType
+	}
+
 	return &Stack{
-		Name:              aws.ToString(stack.StackName),
-		LoadBalancerARN:   outputs.loadBalancerARN(),
-		DNSName:           outputs.dnsName(),
-		TargetGroupARNs:   outputs.targetGroupARNs(),
-		Scheme:            parameters[parameterLoadBalancerSchemeParameter],
-		SecurityGroup:     parameters[parameterLoadBalancerSecurityGroupParameter],
-		SSLPolicy:         parameters[parameterListenerSslPolicyParameter],
-		IpAddressType:     parameters[parameterIpAddressTypeParameter],
-		LoadBalancerType:  parameters[parameterLoadBalancerTypeParameter],
-		HTTP2:             http2,
-		CertificateARNs:   certificateARNs,
-		tags:              tags,
-		OwnerIngress:      ownerIngress,
-		status:            stack.StackStatus,
-		statusReason:      aws.ToString(stack.StackStatusReason),
-		CWAlarmConfigHash: tags[cwAlarmConfigHashTag],
-		WAFWebACLID:       parameters[parameterLoadBalancerWAFWebACLIDParameter],
+		Name:                     aws.ToString(stack.StackName),
+		LoadBalancerARN:          outputs.loadBalancerARN(),
+		DNSName:                  outputs.dnsName(),
+		TargetGroupARNs:          outputs.targetGroupARNs(),
+		Scheme:                   parameters[parameterLoadBalancerSchemeParameter],
+		SecurityGroup:            parameters[parameterLoadBalancerSecurityGroupParameter],
+		SSLPolicy:                parameters[parameterListenerSslPolicyParameter],
+		IpAddressType:            parameters[parameterIpAddressTypeParameter],
+		LoadBalancerType:         parameters[parameterLoadBalancerTypeParameter],
+		HTTP2:                    http2,
+		CertificateARNs:          certificateARNs,
+		tags:                     tags,
+		OwnerIngress:             ownerIngress,
+		status:                   stack.StackStatus,
+		statusReason:             aws.ToString(stack.StackStatusReason),
+		CWAlarmConfigHash:        tags[cwAlarmConfigHashTag],
+		WAFWebACLID:              parameters[parameterLoadBalancerWAFWebACLIDParameter],
+		targetGroupIPAddressType: targetGroupIPAddressType,
 	}
 }
 

aws/cf_template.go

@@ -87,6 +87,11 @@ func generateTemplate(spec *stackSpec) (string, error) {
 			Type:        "AWS::EC2::VPC::Id",
 			Description: "The VPCID for the TargetGroup",
 		},
+		parameterTargetGroupIPAddressTypeParameter: {
+			Type:        "String",
+			Description: "Target group IP Address Type, 'ipv4' or 'ipv6'",
+			Default:     IPAddressTypeIPV4,
+		},
 		parameterListenerSslPolicyParameter: {
 			Type:        "String",
 			Description: "The HTTPS SSL Security Policy Name",
@@ -495,6 +500,7 @@ func newTargetGroup(spec *stackSpec, targetPortParameter string) *cloudformation
 		HealthCheckProtocol:        cloudformation.String(healthCheckProtocol),
 		HealthyThresholdCount:      cloudformation.Integer(int64(healthyThresholdCount)),
 		UnhealthyThresholdCount:    cloudformation.Integer(int64(unhealthyThresholdCount)),
+		IPAddressType:              cloudformation.Ref(parameterTargetGroupIPAddressTypeParameter).String(),
 		Port:                       cloudformation.Ref(targetPortParameter).Integer(),
 		Protocol:                   cloudformation.String(protocol),
 		TargetType:                 targetType,