Followup to linkerd/linkerd2-proxy-init#350

In support of the new proxy-init flags `--iptables-mode` and `--ipv6`:

- For the linkerd-control-plane chart added the values.yaml entry `enableIPv6` (defaults to true). The `proxyInit.iptablesMode` was already there, but we interpret it now slightly differently in `_proxy-init.tpl`.
- For the linkerd2-cni chart added the entries `iptablesMode` (defaults to "legacy") and `enableIPv6` (defaults to true).

Note this allows routing IPv6 traffic to the proxy, but it's just the first step towards IPv6/dual-stack support. More control plane and proxy changes will come up next.

charts/linkerd-control-plane/README.md

@@ -161,6 +161,7 @@ Kubernetes: `>=1.22.0-0`
 | disableHeartBeat | bool | `false` | Set to true to not start the heartbeat cronjob |
 | enableEndpointSlices | bool | `true` | enables the use of EndpointSlice informers for the destination service; enableEndpointSlices should be set to true only if EndpointSlice K8s feature gate is on |
 | enableH2Upgrade | bool | `true` | Allow proxies to perform transparent HTTP/2 upgrading |
+| enableIPv6 | bool | `true` | enables routing IPv6 traffic in addition to IPv4 traffic through the proxy |
 | enablePSP | bool | `false` | Add a PSP resource and bind it to the control plane ServiceAccounts. Note PSP has been deprecated since k8s v1.21 |
 | enablePodAntiAffinity | bool | `false` | enables pod anti affinity creation on deployments for high availability |
 | enablePodDisruptionBudget | bool | `false` | enables the creation of pod disruption budgets for control plane components |

charts/linkerd-control-plane/values.yaml

@@ -32,6 +32,8 @@ deploymentStrategy:
 # enableEndpointSlices should be set to true only if EndpointSlice K8s feature
 # gate is on
 enableEndpointSlices: true
+# -- enables routing IPv6 traffic in addition to IPv4 traffic through the proxy
+enableIPv6: true
 # -- enables pod anti affinity creation on deployments for high availability
 enablePodAntiAffinity: false
 # -- enables the use of pprof endpoints on control plane component's admin

charts/linkerd2-cni/README.md

@@ -25,6 +25,7 @@ Kubernetes: `>=1.22.0-0`
 | commonLabels | object | `{}` | Labels to apply to all resources |
 | destCNIBinDir | string | `"/opt/cni/bin"` | Directory on the host where the CNI configuration will be placed |
 | destCNINetDir | string | `"/etc/cni/net.d"` | Directory on the host where the CNI plugin binaries reside |
+| enableIPv6 | bool | `true` | Enables adding IPv6 rules on top of IPv4 rules |
 | enablePSP | bool | `false` | Add a PSP resource and bind it to the linkerd-cni ServiceAccounts. Note PSP has been deprecated since k8s v1.21 |
 | extraInitContainers | list | `[]` | Add additional initContainers to the daemonset |
 | ignoreInboundPorts | string | `""` | Default set of inbound ports to skip via iptables |
@@ -34,6 +35,7 @@ Kubernetes: `>=1.22.0-0`
 | image.version | string | `"v1.3.0"` | Tag for the CNI container Docker image |
 | imagePullSecrets | list | `[]` |  |
 | inboundProxyPort | int | `4143` | Inbound port for the proxy container |
+| iptablesMode | string | `"legacy"` | Variant of iptables that will be used to configure routing |
 | logLevel | string | `"info"` | Log level for the CNI plugin |
 | outboundProxyPort | int | `4140` | Outbound port for the proxy container |
 | podLabels | object | `{}` | Additional labels to add to all pods |

charts/linkerd2-cni/templates/cni-plugin.yaml

@@ -176,7 +176,9 @@ data:
         ],
         {{- end }}
         "simulate": false,
-        "use-wait-flag": {{.Values.useWaitFlag}}
+        "use-wait-flag": {{.Values.useWaitFlag}},
+        "iptables-mode": {{.Values.iptablesMode | quote}},
+        "ipv6": {{.Values.enableIPv6}}
       }
     }
 ---

charts/linkerd2-cni/values.yaml

@@ -26,6 +26,10 @@ destCNINetDir:    "/etc/cni/net.d"
 destCNIBinDir:    "/opt/cni/bin"
 # -- Configures the CNI plugin to use the -w flag for the iptables command
 useWaitFlag:      false
+# -- Variant of iptables that will be used to configure routing
+iptablesMode: "legacy"
+# -- Enables adding IPv6 rules on top of IPv4 rules
+enableIPv6: true
 # -- Kubernetes priorityClassName for the CNI plugin's Pods
 priorityClassName: ""
 

charts/partials/templates/_proxy-init.tpl

@@ -1,12 +1,12 @@
 {{- define "partials.proxy-init" -}}
-args:
-{{- if (.Values.proxyInit.iptablesMode | default "legacy" | eq "nft") }}
-- --firewall-bin-path
-- "iptables-nft"
-- --firewall-save-bin-path
-- "iptables-nft-save"
-{{- else if not (eq .Values.proxyInit.iptablesMode "legacy") }}
+{{ if not (has .Values.proxyInit.iptablesMode (list "nft" "legacy")) -}}
 {{ fail (printf "Unsupported value \"%s\" for proxyInit.iptablesMode\nValid values: [\"nft\", \"legacy\"]" .Values.proxyInit.iptablesMode) }}
+{{end -}}
+args:
+- --iptables-mode
+- {{.Values.proxyInit.iptablesMode}}
+{{- if .Values.enableIPv6 }}
+- --ipv6
 {{- end }}
 - --incoming-proxy-port
 - {{.Values.proxy.ports.inbound | quote}}

cli/cmd/testdata/inject-filepath/expected/injected_nginx.yaml

@@ -171,6 +171,9 @@ spec:
           name: http
       initContainers:
       - args:
+        - --iptables-mode
+        - legacy
+        - --ipv6
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port

cli/cmd/testdata/inject-filepath/expected/injected_nginx_redis.yaml

@@ -171,6 +171,9 @@ spec:
           name: server
       initContainers:
       - args:
+        - --iptables-mode
+        - legacy
+        - --ipv6
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port
@@ -394,6 +397,9 @@ spec:
           name: http
       initContainers:
       - args:
+        - --iptables-mode
+        - legacy
+        - --ipv6
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port

cli/cmd/testdata/inject-filepath/expected/injected_redis.yaml

@@ -171,6 +171,9 @@ spec:
           name: server
       initContainers:
       - args:
+        - --iptables-mode
+        - legacy
+        - --ipv6
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port