Use IPv6-enabled proxy-init

Followup to linkerd/linkerd2-proxy-init#350

In support of the new proxy-init flags `--iptables-mode` and `--ipv6`:

- For the linkerd-control-plane chart added the values.yaml entry `enableIPv6` (defaults to true). The `proxyInit.iptablesMode` was already there, but we interpret it now slightly differently in `_proxy-init.tpl`.
- For the linkerd2-cni chart added the entries `iptablesMode` (defaults to "legacy") and `enableIPv6` (defaults to true).

Note this allows routing IPv6 traffic to the proxy, but it's just the first step towards IPv6/dual-stack support. More control plane and proxy changes will come up next.

*Do not merge yet*: We're pulling the images `ghcr.io/alpeb/proxy-init:ipv6` and `ghcr.io/alpeb/cni-plugin:ipv6` as temporary builds for linkerd/linkerd2-proxy-init#350, while that gets released.

Author: alpeb

.github/workflows/integration.yml

@@ -29,7 +29,7 @@ permissions:
 env:
   CARGO_INCREMENTAL: 0
   CARGO_NET_RETRY: 10
-  DOCKER_REGISTRY: ghcr.io/linkerd
+  DOCKER_REGISTRY: ghcr.io/alpeb
   GH_ANNOTATION: true
   K3D_VERSION: v5.4.4
   RUST_BACKTRACE: short

charts/linkerd-control-plane/README.md

@@ -161,6 +161,7 @@ Kubernetes: `>=1.22.0-0`
 | disableHeartBeat | bool | `false` | Set to true to not start the heartbeat cronjob |
 | enableEndpointSlices | bool | `true` | enables the use of EndpointSlice informers for the destination service; enableEndpointSlices should be set to true only if EndpointSlice K8s feature gate is on |
 | enableH2Upgrade | bool | `true` | Allow proxies to perform transparent HTTP/2 upgrading |
+| enableIPv6 | bool | `true` | enables routing IPv6 traffic in addition to IPv4 traffic through the proxy |
 | enablePSP | bool | `false` | Add a PSP resource and bind it to the control plane ServiceAccounts. Note PSP has been deprecated since k8s v1.21 |
 | enablePodAntiAffinity | bool | `false` | enables pod anti affinity creation on deployments for high availability |
 | enablePodDisruptionBudget | bool | `false` | enables the creation of pod disruption budgets for control plane components |
@@ -269,9 +270,9 @@ Kubernetes: `>=1.22.0-0`
 | proxyInit.closeWaitTimeoutSecs | int | `0` |  |
 | proxyInit.ignoreInboundPorts | string | `"4567,4568"` | Default set of inbound ports to skip via iptables - Galera (4567,4568) |
 | proxyInit.ignoreOutboundPorts | string | `"4567,4568"` | Default set of outbound ports to skip via iptables - Galera (4567,4568) |
-| proxyInit.image.name | string | `"cr.l5d.io/linkerd/proxy-init"` | Docker image for the proxy-init container |
+| proxyInit.image.name | string | `"ghcr.io/alpeb/proxy-init"` | Docker image for the proxy-init container |
 | proxyInit.image.pullPolicy | string | imagePullPolicy | Pull policy for the proxy-init container image |
-| proxyInit.image.version | string | `"v2.2.4"` | Tag for the proxy-init container image |
+| proxyInit.image.version | string | `"ipv6"` | Tag for the proxy-init container image |
 | proxyInit.iptablesMode | string | `"legacy"` | Variant of iptables that will be used to configure routing. Currently, proxy-init can be run either in 'nft' or in 'legacy' mode. The mode will control which utility binary will be called. The host must support whichever mode will be used |
 | proxyInit.kubeAPIServerPorts | string | `"443,6443"` | Default set of ports to skip via iptables for control plane components so they can communicate with the Kubernetes API Server |
 | proxyInit.logFormat | string | plain | Log format (`plain` or `json`) for the proxy-init |

charts/linkerd-control-plane/values.yaml

@@ -32,6 +32,8 @@ deploymentStrategy:
 # enableEndpointSlices should be set to true only if EndpointSlice K8s feature
 # gate is on
 enableEndpointSlices: true
+# -- enables routing IPv6 traffic in addition to IPv4 traffic through the proxy
+enableIPv6: true
 # -- enables pod anti affinity creation on deployments for high availability
 enablePodAntiAffinity: false
 # -- enables the use of pprof endpoints on control plane component's admin
@@ -264,7 +266,7 @@ proxyInit:
     # @default -- imagePullPolicy
     pullPolicy: ""
     # -- Tag for the proxy-init container image
-    version: v2.2.4
+    version: ipv6
   resources:
     cpu:
       # -- Maximum amount of CPU units that the proxy-init container can use

charts/linkerd2-cni/README.md

@@ -25,15 +25,17 @@ Kubernetes: `>=1.22.0-0`
 | commonLabels | object | `{}` | Labels to apply to all resources |
 | destCNIBinDir | string | `"/opt/cni/bin"` | Directory on the host where the CNI configuration will be placed |
 | destCNINetDir | string | `"/etc/cni/net.d"` | Directory on the host where the CNI plugin binaries reside |
+| enableIPv6 | bool | `true` | Enables adding IPv6 rules on top of IPv4 rules |
 | enablePSP | bool | `false` | Add a PSP resource and bind it to the linkerd-cni ServiceAccounts. Note PSP has been deprecated since k8s v1.21 |
 | extraInitContainers | list | `[]` | Add additional initContainers to the daemonset |
 | ignoreInboundPorts | string | `""` | Default set of inbound ports to skip via iptables |
 | ignoreOutboundPorts | string | `""` | Default set of outbound ports to skip via iptables |
-| image.name | string | `"cr.l5d.io/linkerd/cni-plugin"` | Docker image for the CNI plugin |
+| image.name | string | `"ghcr.io/alpeb/cni-plugin"` | Docker image for the CNI plugin |
 | image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the linkerd-cni container |
-| image.version | string | `"v1.3.0"` | Tag for the CNI container Docker image |
+| image.version | string | `"ipv6"` | Tag for the CNI container Docker image |
 | imagePullSecrets | list | `[]` |  |
 | inboundProxyPort | int | `4143` | Inbound port for the proxy container |
+| iptablesMode | string | `"legacy"` | Variant of iptables that will be used to configure routing |
 | logLevel | string | `"info"` | Log level for the CNI plugin |
 | outboundProxyPort | int | `4140` | Outbound port for the proxy container |
 | podLabels | object | `{}` | Additional labels to add to all pods |

charts/linkerd2-cni/templates/cni-plugin.yaml

@@ -176,7 +176,9 @@ data:
         ],
         {{- end }}
         "simulate": false,
-        "use-wait-flag": {{.Values.useWaitFlag}}
+        "use-wait-flag": {{.Values.useWaitFlag}},
+        "iptables-mode": {{.Values.iptablesMode | quote}},
+        "ipv6": {{.Values.enableIPv6}}
       }
     }
 ---

charts/linkerd2-cni/values.yaml

@@ -26,6 +26,10 @@ destCNINetDir:    "/etc/cni/net.d"
 destCNIBinDir:    "/opt/cni/bin"
 # -- Configures the CNI plugin to use the -w flag for the iptables command
 useWaitFlag:      false
+# -- Variant of iptables that will be used to configure routing
+iptablesMode: "legacy"
+# -- Enables adding IPv6 rules on top of IPv4 rules
+enableIPv6: true
 # -- Kubernetes priorityClassName for the CNI plugin's Pods
 priorityClassName: ""
 
@@ -51,9 +55,9 @@ tolerations:
 # -|- Image section
 image:
   # -- Docker image for the CNI plugin
-  name: "cr.l5d.io/linkerd/cni-plugin"
+  name: "ghcr.io/alpeb/cni-plugin"
   # -- Tag for the CNI container Docker image
-  version: "v1.3.0"
+  version: "ipv6"
   # -- Pull policy for the linkerd-cni container
   pullPolicy: IfNotPresent
 

charts/partials/templates/_proxy-init.tpl

@@ -1,12 +1,11 @@
 {{- define "partials.proxy-init" -}}
-args:
-{{- if (.Values.proxyInit.iptablesMode | default "legacy" | eq "nft") }}
-- --firewall-bin-path
-- "iptables-nft"
-- --firewall-save-bin-path
-- "iptables-nft-save"
-{{- else if not (eq .Values.proxyInit.iptablesMode "legacy") }}
+{{ if not (has .Values.proxyInit.iptablesMode (list "nft" "legacy")) -}}
 {{ fail (printf "Unsupported value \"%s\" for proxyInit.iptablesMode\nValid values: [\"nft\", \"legacy\"]" .Values.proxyInit.iptablesMode) }}
+{{end -}}
+args:
+- --iptables-mode={{.Values.proxyInit.iptablesMode}}
+{{- if .Values.enableIPv6 }}
+- --ipv6
 {{- end }}
 - --incoming-proxy-port
 - {{.Values.proxy.ports.inbound | quote}}

cli/cmd/testdata/inject-filepath/expected/injected_nginx.yaml

@@ -171,6 +171,8 @@ spec:
           name: http
       initContainers:
       - args:
+        - --iptables-mode=legacy
+        - --ipv6
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port
@@ -181,7 +183,7 @@ spec:
         - 4190,4191,4567,4568
         - --outbound-ports-to-ignore
         - 4567,4568
-        image: cr.l5d.io/linkerd/proxy-init:v2.2.4
+        image: ghcr.io/alpeb/proxy-init:ipv6
         imagePullPolicy: IfNotPresent
         name: linkerd-init
         resources:

cli/cmd/testdata/inject-filepath/expected/injected_nginx_redis.yaml

@@ -171,6 +171,8 @@ spec:
           name: server
       initContainers:
       - args:
+        - --iptables-mode=legacy
+        - --ipv6
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port
@@ -181,7 +183,7 @@ spec:
         - 4190,4191,4567,4568
         - --outbound-ports-to-ignore
         - 4567,4568
-        image: cr.l5d.io/linkerd/proxy-init:v2.2.4
+        image: ghcr.io/alpeb/proxy-init:ipv6
         imagePullPolicy: IfNotPresent
         name: linkerd-init
         resources:
@@ -394,6 +396,8 @@ spec:
           name: http
       initContainers:
       - args:
+        - --iptables-mode=legacy
+        - --ipv6
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port
@@ -404,7 +408,7 @@ spec:
         - 4190,4191,4567,4568
         - --outbound-ports-to-ignore
         - 4567,4568
-        image: cr.l5d.io/linkerd/proxy-init:v2.2.4
+        image: ghcr.io/alpeb/proxy-init:ipv6
         imagePullPolicy: IfNotPresent
         name: linkerd-init
         resources:

cli/cmd/testdata/inject-filepath/expected/injected_redis.yaml

@@ -171,6 +171,8 @@ spec:
           name: server
       initContainers:
       - args:
+        - --iptables-mode=legacy
+        - --ipv6
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port
@@ -181,7 +183,7 @@ spec:
         - 4190,4191,4567,4568
         - --outbound-ports-to-ignore
         - 4567,4568
-        image: cr.l5d.io/linkerd/proxy-init:v2.2.4
+        image: ghcr.io/alpeb/proxy-init:ipv6
         imagePullPolicy: IfNotPresent
         name: linkerd-init
         resources: