fix ipv6 backend for vpcs

Author: komer3

Makefile

@@ -168,15 +168,15 @@ mgmt-and-capl-cluster: docker-setup mgmt-cluster capl-cluster
 capl-cluster: generate-capl-cluster-manifests create-capl-cluster patch-linode-ccm
 
 .PHONY: generate-capl-cluster-manifests
-generate-capl-cluster-manifests:
+generate-capl-cluster-manifests: clusterctl
 	# Create the CAPL cluster manifests without any CSI driver stuff
 	LINODE_FIREWALL_ENABLED=$(LINODE_FIREWALL_ENABLED) LINODE_OS=$(LINODE_OS) VPC_NAME=$(VPC_NAME) $(CLUSTERCTL) generate cluster $(CLUSTER_NAME) \
 		--kubernetes-version $(K8S_VERSION) --infrastructure linode-linode:$(CAPL_VERSION) \
 		--control-plane-machine-count $(CONTROLPLANE_NODES) --worker-machine-count $(WORKER_NODES) --flavor kubeadm-dual-stack > $(MANIFEST_NAME).yaml
 	yq -i e 'select(.kind == "LinodeVPC").spec.ipv6Range = [{"range": "auto"}] | select(.kind == "LinodeVPC").spec.subnets = [{"ipv4": "10.0.0.0/8", "label": "default", "ipv6Range": [{"range": "auto"}]}, {"ipv4": "172.16.0.0/16", "label": "testing", "ipv6Range": [{"range": "auto"}]}]' $(MANIFEST_NAME).yaml
 
 .PHONY: create-capl-cluster
-create-capl-cluster:
+create-capl-cluster: clusterctl
 	# Create a CAPL cluster with updated CCM and wait for it to be ready
 	kubectl apply -f $(MANIFEST_NAME).yaml
 	kubectl wait --for=condition=ControlPlaneReady cluster/$(CLUSTER_NAME) --timeout=600s || (kubectl get cluster -o yaml; kubectl get linodecluster -o yaml; kubectl get linodemachines -o yaml; kubectl logs -n capl-system deployments/capl-controller-manager --tail=50)

cloud/linode/loadbalancers.go

@@ -505,10 +505,7 @@ func (l *loadbalancers) updateNodeBalancer(
 			subnetID = id
 		}
 
-		useIPv6Backends, ignoreVPCBackends := resolveIPv6NodeBalancerBackendState(service, currentNBNodes)
-		if ignoreVPCBackends {
-			subnetID = 0
-		}
+		useIPv6Backends := resolveIPv6NodeBalancerBackendState(service)
 		newNBNodes, err := l.buildNodeBalancerConfigNodes(service, nodes, port.NodePort, subnetID, useIPv6Backends, newNBCfg.Protocol, oldNBNodeIDs)
 		if err != nil {
 			return err
@@ -952,8 +949,7 @@ func (l *loadbalancers) createNodeBalancer(ctx context.Context, clusterName stri
 		Type:               nbType,
 	}
 
-	_, ignoreVPCBackends := resolveIPv6NodeBalancerBackendState(service, nil)
-	if len(options.Options.VPCNames) > 0 && !options.Options.DisableNodeBalancerVPCBackends && !ignoreVPCBackends {
+	if len(options.Options.VPCNames) > 0 && !options.Options.DisableNodeBalancerVPCBackends {
 		createOpts.VPCs, err = l.getVPCCreateOptions(ctx, service)
 		if err != nil {
 			return nil, err
@@ -1152,7 +1148,7 @@ func (l *loadbalancers) buildLoadBalancerRequest(ctx context.Context, clusterNam
 	}
 	ports := service.Spec.Ports
 	configs := make([]*linodego.NodeBalancerConfigCreateOptions, 0, len(ports))
-	useIPv6Backends, ignoreVPCBackends := resolveIPv6NodeBalancerBackendState(service, nil)
+	useIPv6Backends := resolveIPv6NodeBalancerBackendState(service)
 
 	subnetID := 0
 	if options.Options.NodeBalancerBackendIPv4SubnetID != 0 {
@@ -1165,7 +1161,7 @@ func (l *loadbalancers) buildLoadBalancerRequest(ctx context.Context, clusterNam
 			return nil, err
 		}
 	}
-	if len(options.Options.VPCNames) > 0 && !options.Options.DisableNodeBalancerVPCBackends && !ignoreVPCBackends {
+	if len(options.Options.VPCNames) > 0 && !options.Options.DisableNodeBalancerVPCBackends {
 		id, err := l.getSubnetIDForSVC(ctx, service)
 		if err != nil {
 			return nil, err
@@ -1230,20 +1226,13 @@ func (l *loadbalancers) buildNodeBalancerNodeConfigRebuildOptions(service *v1.Se
 	return nodeOptions, nil
 }
 
-func resolveIPv6NodeBalancerBackendState(service *v1.Service, currentNBNodes []linodego.NodeBalancerNode) (useIPv6Backends bool, ignoreVPCBackends bool) {
+func resolveIPv6NodeBalancerBackendState(service *v1.Service) bool {
 	useIPv6 := getServiceBoolAnnotation(service, annotations.AnnLinodeEnableIPv6Backends)
 	if useIPv6 != nil {
-		return *useIPv6, *useIPv6
-	}
-
-	if len(currentNBNodes) > 0 {
-		if isNodeBalancerBackendIPv6(currentNBNodes[0].Address) {
-			return true, true
-		}
-		return false, false
+		return *useIPv6
 	}
 
-	return options.Options.EnableIPv6ForNodeBalancerBackends, false
+	return options.Options.EnableIPv6ForNodeBalancerBackends
 }
 
 func formatNodeBalancerBackendAddress(ip string, nodePort int32) string {
@@ -1438,7 +1427,7 @@ func getNodePrivateIP(node *v1.Node, subnetID int) (string, error) {
 }
 
 func getNodeBackendIP(service *v1.Service, node *v1.Node, subnetID int, useIPv6Backends bool) (string, error) {
-	if subnetID != 0 || !useIPv6Backends {
+	if !useIPv6Backends {
 		return getNodePrivateIP(node, subnetID)
 	}
 

cloud/linode/loadbalancers_test.go

@@ -4125,7 +4125,7 @@ func Test_getNodeBackendIP(t *testing.T) {
 			expectedIP:      "2600:3c06::1",
 		},
 		{
-			name: "preserves VPC backend behavior even when IPv6 is requested",
+			name: "uses IPv6 backend address even when VPC backends are enabled",
 			node: &v1.Node{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "node-1",
@@ -4142,7 +4142,7 @@ func Test_getNodeBackendIP(t *testing.T) {
 			},
 			subnetID:        100,
 			useIPv6Backends: true,
-			expectedIP:      "10.0.0.2",
+			expectedIP:      "2600:3c06::1",
 		},
 		{
 			name: "errors when IPv6 backends are requested and node lacks public IPv6",
@@ -4187,15 +4187,13 @@ func Test_resolveIPv6NodeBalancerBackendState(t *testing.T) {
 	}()
 
 	testcases := []struct {
-		name              string
-		globalFlag        bool
-		service           *v1.Service
-		currentNBNodes    []linodego.NodeBalancerNode
-		expectedUseIPv6   bool
-		expectedIgnoreVPC bool
+		name            string
+		globalFlag      bool
+		service         *v1.Service
+		expectedUseIPv6 bool
 	}{
 		{
-			name:       "service annotation enables IPv6 and overrides VPC behavior",
+			name:       "service annotation enables IPv6",
 			globalFlag: false,
 			service: &v1.Service{
 				ObjectMeta: metav1.ObjectMeta{
@@ -4204,47 +4202,163 @@ func Test_resolveIPv6NodeBalancerBackendState(t *testing.T) {
 					},
 				},
 			},
-			expectedUseIPv6:   true,
-			expectedIgnoreVPC: true,
+			expectedUseIPv6: true,
 		},
 		{
-			name:              "new services respect global IPv6 backend flag without ignoring VPC",
-			globalFlag:        true,
-			service:           &v1.Service{ObjectMeta: metav1.ObjectMeta{Annotations: map[string]string{}}},
-			expectedUseIPv6:   true,
-			expectedIgnoreVPC: false,
+			name:            "service annotation disables IPv6 even when global flag is enabled",
+			globalFlag:      true,
+			service:         &v1.Service{ObjectMeta: metav1.ObjectMeta{Annotations: map[string]string{annotations.AnnLinodeEnableIPv6Backends: "false"}}},
+			expectedUseIPv6: false,
 		},
 		{
-			name:       "existing IPv4 nodebalancer backends stay IPv4 by default",
-			globalFlag: true,
-			service:    &v1.Service{ObjectMeta: metav1.ObjectMeta{Annotations: map[string]string{}}},
-			currentNBNodes: []linodego.NodeBalancerNode{
-				{Address: "10.0.0.10:30000"},
-			},
-			expectedUseIPv6:   false,
-			expectedIgnoreVPC: false,
+			name:            "services use global IPv6 backend flag when annotation is absent",
+			globalFlag:      true,
+			service:         &v1.Service{ObjectMeta: metav1.ObjectMeta{Annotations: map[string]string{}}},
+			expectedUseIPv6: true,
 		},
 		{
-			name:       "existing IPv6 nodebalancer backends stay IPv6 and ignore VPC",
-			globalFlag: false,
-			service:    &v1.Service{ObjectMeta: metav1.ObjectMeta{Annotations: map[string]string{}}},
-			currentNBNodes: []linodego.NodeBalancerNode{
-				{Address: "[2600:3c06::1]:30000"},
-			},
-			expectedUseIPv6:   true,
-			expectedIgnoreVPC: true,
+			name:            "services do not use IPv6 when annotation is absent and global flag is disabled",
+			globalFlag:      false,
+			service:         &v1.Service{ObjectMeta: metav1.ObjectMeta{Annotations: map[string]string{}}},
+			expectedUseIPv6: false,
 		},
 	}
 
 	for _, test := range testcases {
 		t.Run(test.name, func(t *testing.T) {
 			options.Options.EnableIPv6ForNodeBalancerBackends = test.globalFlag
-			useIPv6Backends, ignoreVPCBackends := resolveIPv6NodeBalancerBackendState(test.service, test.currentNBNodes)
+			useIPv6Backends := resolveIPv6NodeBalancerBackendState(test.service)
 			if useIPv6Backends != test.expectedUseIPv6 {
 				t.Fatalf("expected useIPv6Backends=%t, got %t", test.expectedUseIPv6, useIPv6Backends)
 			}
-			if ignoreVPCBackends != test.expectedIgnoreVPC {
-				t.Fatalf("expected ignoreVPCBackends=%t, got %t", test.expectedIgnoreVPC, ignoreVPCBackends)
+		})
+	}
+}
+
+func Test_buildLoadBalancerRequestPreservesVPCConfigForIPv6Backends(t *testing.T) {
+	prevVPCNames := options.Options.VPCNames
+	prevSubnetNames := options.Options.SubnetNames
+	prevDisableVPC := options.Options.DisableNodeBalancerVPCBackends
+	prevEnableIPv6Backends := options.Options.EnableIPv6ForNodeBalancerBackends
+	defer func() {
+		options.Options.VPCNames = prevVPCNames
+		options.Options.SubnetNames = prevSubnetNames
+		options.Options.DisableNodeBalancerVPCBackends = prevDisableVPC
+		options.Options.EnableIPv6ForNodeBalancerBackends = prevEnableIPv6Backends
+	}()
+
+	options.Options.VPCNames = []string{"test-vpc"}
+	options.Options.SubnetNames = []string{"default"}
+	options.Options.DisableNodeBalancerVPCBackends = false
+
+	testcases := []struct {
+		name        string
+		globalFlag  bool
+		annotations map[string]string
+	}{
+		{
+			name:       "service annotation preserves VPC config for IPv6 backends",
+			globalFlag: false,
+			annotations: map[string]string{
+				annotations.AnnLinodeDefaultProtocol:    "tcp",
+				annotations.AnnLinodeEnableIPv6Backends: "true",
+			},
+		},
+		{
+			name:       "global flag preserves VPC config for IPv6 backends",
+			globalFlag: true,
+			annotations: map[string]string{
+				annotations.AnnLinodeDefaultProtocol: "tcp",
+			},
+		},
+	}
+
+	for _, test := range testcases {
+		t.Run(test.name, func(t *testing.T) {
+			options.Options.EnableIPv6ForNodeBalancerBackends = test.globalFlag
+
+			fake := newFake(t)
+			ts := httptest.NewServer(fake)
+			defer ts.Close()
+
+			client := linodego.NewClient(http.DefaultClient)
+			client.SetBaseURL(ts.URL)
+			lb := newLoadbalancers(&client, "us-west").(*loadbalancers)
+
+			fake.vpc[1] = &linodego.VPC{
+				ID:    1,
+				Label: "test-vpc",
+				Subnets: []linodego.VPCSubnet{
+					{
+						ID:    101,
+						Label: "default",
+						IPv4:  "10.0.0.0/8",
+					},
+				},
+			}
+			fake.subnet[101] = &linodego.VPCSubnet{
+				ID:    101,
+				Label: "default",
+				IPv4:  "10.0.0.0/8",
+			}
+
+			svc := &v1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:        "test",
+					UID:         "foobar123",
+					Annotations: test.annotations,
+				},
+				Spec: v1.ServiceSpec{
+					Ports: []v1.ServicePort{
+						{
+							Name:     "test",
+							Protocol: "TCP",
+							Port:     int32(80),
+							NodePort: int32(30000),
+						},
+					},
+				},
+			}
+			nodes := []*v1.Node{
+				{
+					ObjectMeta: metav1.ObjectMeta{Name: "node-1"},
+					Status: v1.NodeStatus{
+						Addresses: []v1.NodeAddress{
+							{Type: v1.NodeInternalIP, Address: "10.0.0.2"},
+							{Type: v1.NodeExternalIP, Address: "2600:3c06:e727:1::1"},
+						},
+					},
+				},
+			}
+
+			_, err := lb.buildLoadBalancerRequest(t.Context(), "linodelb", svc, nodes)
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			var req *fakeRequest
+			for request := range fake.requests {
+				if request.Method == http.MethodPost && request.Path == "/nodebalancers" {
+					req = &request
+					break
+				}
+			}
+			if req == nil {
+				t.Fatal("expected nodebalancer create request")
+			}
+
+			var createOpts linodego.NodeBalancerCreateOptions
+			if err := json.Unmarshal([]byte(req.Body), &createOpts); err != nil {
+				t.Fatalf("unable to unmarshal create request body %#v, error: %#v", req.Body, err)
+			}
+			if len(createOpts.VPCs) != 1 || createOpts.VPCs[0].SubnetID == 0 {
+				t.Fatalf("expected nodebalancer create request to preserve VPC config, got %#v", createOpts.VPCs)
+			}
+			if len(createOpts.Configs) != 1 || len(createOpts.Configs[0].Nodes) != 1 {
+				t.Fatalf("expected a single nodebalancer config with one backend node, got %#v", createOpts.Configs)
+			}
+			if !isNodeBalancerBackendIPv6(createOpts.Configs[0].Nodes[0].Address) {
+				t.Fatalf("expected IPv6 backend node address, got %q", createOpts.Configs[0].Nodes[0].Address)
 			}
 		})
 	}

docs/configuration/annotations.md

@@ -40,7 +40,7 @@ The keys and the values in [annotations must be strings](https://kubernetes.io/d
 | `firewall-acl` | string | | The Firewall rules to be applied to the NodeBalancer. See [Firewall Configuration](#firewall-configuration) |
 | `nodebalancer-type` | string | | The type of NodeBalancer to create (options: common, premium, premium_40gb). See [NodeBalancer Types](#nodebalancer-type). Note: NodeBalancer types should always be specified in lowercase. |
 | `enable-ipv6-ingress` | bool | `false` | When `true`, both IPv4 and IPv6 addresses will be included in the LoadBalancerStatus ingress |
-| `enable-ipv6-backends` | bool | `false` | When `true`, non-VPC NodeBalancer services use public IPv6 backend nodes. This requires a dual-stack cluster and a dual-stack Service configuration. Reconciliation fails if a selected backend node does not have public IPv6. |
+| `enable-ipv6-backends` | bool | `false` | When `true`, NodeBalancer services use IPv6 backend nodes. If VPC-backed NodeBalancers are enabled, CCM preserves the NodeBalancer VPC configuration. This requires a dual-stack cluster and a dual-stack Service configuration. Reconciliation fails if a selected backend node does not have the required IPv6 address. |
 | `backend-ipv4-range` | string | | The IPv4 range from VPC subnet to be applied to the NodeBalancer backend. See [Nodebalancer VPC Configuration](#nodebalancer-vpc-configuration) |
 | `backend-vpc-name` | string | | VPC which is connected to the NodeBalancer backend. See [Nodebalancer VPC Configuration](#nodebalancer-vpc-configuration) |
 | `backend-subnet-name` | string | | Subnet within VPC which is connected to the NodeBalancer backend. See [Nodebalancer VPC Configuration](#nodebalancer-vpc-configuration) |

docs/configuration/environment.md

@@ -53,7 +53,7 @@ The CCM supports the following flags:
 | `--nodebalancer-backend-ipv4-subnet-name` | String | `""` | ipv4 subnet name to use for NodeBalancer backends |
 | `--disable-nodebalancer-vpc-backends` | Boolean | `false` | don't use VPC specific ip-addresses for nodebalancer backend ips when running in VPC (set to `true` for backward compatibility if needed) |
 | `--enable-ipv6-for-loadbalancers` | Boolean | `false` | Set both IPv4 and IPv6 addresses for all LoadBalancer services (when disabled, only IPv4 is used). This can also be configured per-service using the `service.beta.kubernetes.io/linode-loadbalancer-enable-ipv6-ingress` annotation. |
-| `--enable-ipv6-for-nodebalancer-backends` | Boolean | `false` | Use public IPv6 addresses for non-VPC NodeBalancer service backends. This requires a dual-stack cluster and dual-stack Service configuration. If enabled, every selected backend node must have public IPv6 or reconciliation will fail. This can also be configured per-service using the `service.beta.kubernetes.io/linode-loadbalancer-enable-ipv6-backends` annotation. |
+| `--enable-ipv6-for-nodebalancer-backends` | Boolean | `false` | Use IPv6 addresses for NodeBalancer service backends. If VPC-backed NodeBalancers are enabled, CCM preserves the NodeBalancer VPC configuration. Enabling this flag can migrate existing eligible NodeBalancer services from IPv4 to IPv6 backends during reconcile. This requires a dual-stack cluster and dual-stack Service configuration. If enabled, every selected backend node must have the required IPv6 address or reconciliation will fail. This can also be configured per-service using the `service.beta.kubernetes.io/linode-loadbalancer-enable-ipv6-backends` annotation. |
 | `--node-cidr-mask-size-ipv4` | Int | `24` | ipv4 cidr mask size for pod cidrs allocated to nodes |
 | `--node-cidr-mask-size-ipv6` | Int | `64` | ipv6 cidr mask size for pod cidrs allocated to nodes |
 | `--nodebalancer-prefix` | String | `ccm` | Name prefix for NoadBalancers. |

docs/configuration/loadbalancer.md

@@ -50,7 +50,7 @@ IPv6 frontends and IPv6 backends are configured independently. Frontend IPv6 con
 
 IPv6 backends require a dual-stack workload cluster. In practice, the cluster networking stack must support IPv6 NodePort traffic, and the Service itself should be created as dual-stack. A single-stack IPv4 `LoadBalancer` Service can still be annotated for IPv6 backends, but the NodeBalancer health checks and traffic path may fail because the backend NodePort is not exposed over IPv6.
 
-For newly created non-VPC NodeBalancer services, you can enable public IPv6 backends globally:
+You can enable IPv6 backends globally for NodeBalancer services:
 
 ```yaml
 spec:
@@ -71,13 +71,12 @@ metadata:
 ```
 
 When IPv6 backends are enabled:
-- only non-VPC NodeBalancer services are affected
-- existing services are not migrated automatically
-- every selected backend node must have public IPv6
+- both VPC-backed and non-VPC-backed NodeBalancer services are affected
+- when VPC-backed NodeBalancers are enabled, CCM preserves the NodeBalancer VPC configuration instead of dropping it
+- enabling the global `--enable-ipv6-for-nodebalancer-backends` flag can migrate existing eligible NodeBalancer services from IPv4 to IPv6 backends during reconcile
+- every selected backend node must have an IPv6 address in the currently selected backend path
 - the workload cluster and Service must be configured for dual-stack networking
-- reconciliation fails and CCM logs an error if a selected backend node does not have public IPv6
-
-VPC backend behavior is unchanged and continues to use the existing IPv4/VPC backend flow.
+- reconciliation fails and CCM logs an error if a selected backend node does not have the required IPv6 address
 
 Recommended Service configuration for IPv6 backends: