api: add spec field to configure target group ipType

The field targetGroupIPType is added to the loadbalancer spec to allow
configuring ip address type of target group for API load balancers.

This field is not applicable to Classic Load Balancers (CLB).

This commit also defines a new network status field to determine the ip
type of API load balancers.

Author: tthvo

api/v1beta1/awscluster_conversion.go

@@ -156,6 +156,7 @@ func (src *AWSCluster) ConvertTo(dstRaw conversion.Hub) error {
 func restoreControlPlaneLoadBalancerStatus(restored, dst *infrav1.LoadBalancer) {
 	dst.ARN = restored.ARN
 	dst.LoadBalancerType = restored.LoadBalancerType
+	dst.LoadBalancerIPAddressType = restored.LoadBalancerIPAddressType
 	dst.ELBAttributes = restored.ELBAttributes
 	dst.ELBListeners = restored.ELBListeners
 	dst.Name = restored.Name
@@ -193,6 +194,7 @@ func restoreControlPlaneLoadBalancer(restored, dst *infrav1.AWSLoadBalancerSpec)
 	dst.Scheme = restored.Scheme
 	dst.CrossZoneLoadBalancing = restored.CrossZoneLoadBalancing
 	dst.Subnets = restored.Subnets
+	dst.TargetGroupIPType = restored.TargetGroupIPType
 }
 
 // ConvertFrom converts the v1beta1 AWSCluster receiver to a v1beta1 AWSCluster.

api/v1beta1/zz_generated.conversion.go

@@ -253,6 +253,15 @@ type AWSLoadBalancerSpec struct {
 	// PreserveClientIP lets the user control if preservation of client ips must be retained or not.
 	// If this is enabled 6443 will be opened to 0.0.0.0/0.
 	PreserveClientIP bool `json:"preserveClientIP,omitempty"`
+
+	// TargetGroupIPType sets the IP address type for the target group.
+	// Valid values are ipv4 and ipv6. If not specified, defaults to ipv4 unless
+	// the VPC has IPv6 enabled, in which case it defaults to ipv6.
+	// This applies to the API server target group.
+	// This field cannot be set if LoadBalancerType is classic or disabled.
+	// +kubebuilder:validation:Enum=ipv4;ipv6
+	// +optional
+	TargetGroupIPType *TargetGroupIPType `json:"targetGroupIPType,omitempty"`
 }
 
 // AdditionalListenerSpec defines the desired state of an
@@ -272,6 +281,14 @@ type AdditionalListenerSpec struct {
 	// HealthCheck sets the optional custom health check configuration to the API target group.
 	// +optional
 	HealthCheck *TargetGroupHealthCheckAdditionalSpec `json:"healthCheck,omitempty"`
+
+	// TargetGroupIPType sets the IP address type for the target group.
+	// Valid values are ipv4 and ipv6. If not specified, defaults to ipv4 unless
+	// the VPC has IPv6 enabled, in which case it defaults to ipv6.
+	// This field cannot be set if LoadBalancerType is classic or disabled.
+	// +kubebuilder:validation:Enum=ipv4;ipv6
+	// +optional
+	TargetGroupIPType *TargetGroupIPType `json:"targetGroupIPType,omitempty"`
 }
 
 // AWSClusterStatus defines the observed state of AWSCluster.

api/v1beta2/awscluster_types.go

@@ -238,6 +238,14 @@ func (r *AWSCluster) validateControlPlaneLoadBalancerUpdate(oldlb, newlb *AWSLoa
 				)
 			}
 		}
+
+		// TargetGroupIPType is immutable after creation.
+		if !cmp.Equal(oldlb.TargetGroupIPType, newlb.TargetGroupIPType) {
+			allErrs = append(allErrs,
+				field.Forbidden(field.NewPath("spec", "controlPlaneLoadBalancer", "targetGroupIPType"),
+					"field is immutable and cannot be changed after target group creation"),
+			)
+		}
 	}
 
 	return allErrs
@@ -467,6 +475,33 @@ func (r *AWSCluster) validateControlPlaneLBs() (admission.Warnings, field.ErrorL
 		if r.Spec.ControlPlaneLoadBalancer.DisableHostsRewrite {
 			allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "controlPlaneLoadBalancer", "disableHostsRewrite"), r.Spec.ControlPlaneLoadBalancer.DisableHostsRewrite, "cannot disable hosts rewrite if the LoadBalancer reconciliation is disabled"))
 		}
+
+		if r.Spec.ControlPlaneLoadBalancer.TargetGroupIPType != nil {
+			allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "controlPlaneLoadBalancer", "targetGroupIPType"), r.Spec.ControlPlaneLoadBalancer.TargetGroupIPType, "cannot set target group IP type if the LoadBalancer reconciliation is disabled"))
+		}
+	}
+
+	if r.Spec.ControlPlaneLoadBalancer != nil {
+		basePath := field.NewPath("spec", "controlPlaneLoadBalancer")
+		if r.Spec.ControlPlaneLoadBalancer.TargetGroupIPType != nil {
+			allErrs = append(allErrs, r.validateTargetGroupIPType(basePath.Child("targetGroupIPType"), r.Spec.ControlPlaneLoadBalancer.TargetGroupIPType, r.Spec.ControlPlaneLoadBalancer)...)
+		}
+		for i, listener := range r.Spec.ControlPlaneLoadBalancer.AdditionalListeners {
+			if listener.TargetGroupIPType != nil {
+				allErrs = append(allErrs, r.validateTargetGroupIPType(basePath.Child("additionalListeners").Index(i).Child("targetGroupIPType"), listener.TargetGroupIPType, r.Spec.ControlPlaneLoadBalancer)...)
+			}
+		}
+	}
+	if r.Spec.SecondaryControlPlaneLoadBalancer != nil {
+		basePath := field.NewPath("spec", "secondaryControlPlaneLoadBalancer")
+		if r.Spec.SecondaryControlPlaneLoadBalancer.TargetGroupIPType != nil {
+			allErrs = append(allErrs, r.validateTargetGroupIPType(basePath.Child("targetGroupIPType"), r.Spec.SecondaryControlPlaneLoadBalancer.TargetGroupIPType, r.Spec.SecondaryControlPlaneLoadBalancer)...)
+		}
+		for i, listener := range r.Spec.SecondaryControlPlaneLoadBalancer.AdditionalListeners {
+			if listener.TargetGroupIPType != nil {
+				allErrs = append(allErrs, r.validateTargetGroupIPType(basePath.Child("additionalListeners").Index(i).Child("targetGroupIPType"), listener.TargetGroupIPType, r.Spec.SecondaryControlPlaneLoadBalancer)...)
+			}
+		}
 	}
 
 	return allWarnings, allErrs
@@ -488,3 +523,20 @@ func (r *AWSCluster) validateIngressRules(path *field.Path, rules []IngressRule)
 	}
 	return allErrs
 }
+
+// validateTargetGroupIPType validates that the target group IP type is compatible
+// with the load balancer type and VPC configuration.
+func (r *AWSCluster) validateTargetGroupIPType(path *field.Path, targetGroupIPType *TargetGroupIPType, lbSpec *AWSLoadBalancerSpec) field.ErrorList {
+	var allErrs field.ErrorList
+
+	if targetGroupIPType != nil {
+		if lbSpec.LoadBalancerType == LoadBalancerTypeClassic {
+			allErrs = append(allErrs, field.Invalid(path, targetGroupIPType, "targetGroupIPType cannot be used with classic load balancer types"))
+		}
+		if TargetGroupIPTypeIPv6.Equals(targetGroupIPType) && !r.Spec.NetworkSpec.VPC.IsIPv6Enabled() {
+			allErrs = append(allErrs, field.Invalid(path, targetGroupIPType, "targetGroupIPType IPv6 requires IPv6 to be enabled on the VPC. Set spec.network.vpc.ipv6 to enable IPv6"))
+		}
+	}
+
+	return allErrs
+}

api/v1beta2/awscluster_webhook.go

@@ -890,6 +890,111 @@ func TestAWSClusterValidateCreate(t *testing.T) {
 			},
 			wantErr: true,
 		},
+		{
+			name: "rejects targetGroupIPType when LoadBalancer is disabled",
+			cluster: &AWSCluster{
+				Spec: AWSClusterSpec{
+					ControlPlaneLoadBalancer: &AWSLoadBalancerSpec{
+						TargetGroupIPType: &TargetGroupIPTypeIPv4,
+						LoadBalancerType:  LoadBalancerTypeDisabled,
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "rejects targetGroupIPType with Classic Load Balancer",
+			cluster: &AWSCluster{
+				Spec: AWSClusterSpec{
+					ControlPlaneLoadBalancer: &AWSLoadBalancerSpec{
+						LoadBalancerType:  LoadBalancerTypeClassic,
+						TargetGroupIPType: &TargetGroupIPTypeIPv4,
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "accepts targetGroupIPType IPv4 with Network Load Balancer",
+			cluster: &AWSCluster{
+				Spec: AWSClusterSpec{
+					ControlPlaneLoadBalancer: &AWSLoadBalancerSpec{
+						LoadBalancerType:  LoadBalancerTypeNLB,
+						TargetGroupIPType: &TargetGroupIPTypeIPv4,
+					},
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "rejects targetGroupIPType IPv6 with VPC IPv6 disabled",
+			cluster: &AWSCluster{
+				Spec: AWSClusterSpec{
+					ControlPlaneLoadBalancer: &AWSLoadBalancerSpec{
+						LoadBalancerType:  LoadBalancerTypeNLB,
+						TargetGroupIPType: &TargetGroupIPTypeIPv6,
+					},
+					NetworkSpec: NetworkSpec{},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "accepts targetGroupIPType IPv6 with NLB and VPC IPv6 enabled",
+			cluster: &AWSCluster{
+				Spec: AWSClusterSpec{
+					ControlPlaneLoadBalancer: &AWSLoadBalancerSpec{
+						LoadBalancerType:  LoadBalancerTypeNLB,
+						TargetGroupIPType: &TargetGroupIPTypeIPv6,
+					},
+					NetworkSpec: NetworkSpec{
+						VPC: VPCSpec{
+							IPv6: &IPv6{
+								CidrBlock: "2001:db8::/56",
+							},
+						},
+					},
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "rejects additionalListener targetGroupIPType with Classic Load Balancer",
+			cluster: &AWSCluster{
+				Spec: AWSClusterSpec{
+					ControlPlaneLoadBalancer: &AWSLoadBalancerSpec{
+						LoadBalancerType: LoadBalancerTypeClassic,
+						AdditionalListeners: []AdditionalListenerSpec{
+							{
+								Port:              22623,
+								Protocol:          ELBProtocolTCP,
+								TargetGroupIPType: &TargetGroupIPTypeIPv4,
+							},
+						},
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "rejects additionalListener targetGroupIPType IPv6 with VPC IPv6 disabled",
+			cluster: &AWSCluster{
+				Spec: AWSClusterSpec{
+					ControlPlaneLoadBalancer: &AWSLoadBalancerSpec{
+						LoadBalancerType: LoadBalancerTypeNLB,
+						AdditionalListeners: []AdditionalListenerSpec{
+							{
+								Port:              8443,
+								Protocol:          ELBProtocolTCP,
+								TargetGroupIPType: &TargetGroupIPTypeIPv6,
+							},
+						},
+					},
+					NetworkSpec: NetworkSpec{},
+				},
+			},
+			wantErr: true,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -1348,6 +1453,53 @@ func TestAWSClusterValidateUpdate(t *testing.T) {
 			},
 			wantErr: true,
 		},
+		{
+			name: "should failed if controlPlaneLoadBalancer targetGroupIPType is changed",
+			oldCluster: &AWSCluster{
+				Spec: AWSClusterSpec{
+					ControlPlaneLoadBalancer: &AWSLoadBalancerSpec{
+						LoadBalancerType:  LoadBalancerTypeNLB,
+						TargetGroupIPType: &TargetGroupIPTypeIPv4,
+					},
+				},
+			},
+			newCluster: &AWSCluster{
+				Spec: AWSClusterSpec{
+					ControlPlaneLoadBalancer: &AWSLoadBalancerSpec{
+						LoadBalancerType:  LoadBalancerTypeNLB,
+						TargetGroupIPType: &TargetGroupIPTypeIPv6,
+					},
+					NetworkSpec: NetworkSpec{
+						VPC: VPCSpec{
+							IPv6: &IPv6{
+								CidrBlock: "2001:db8::/56",
+							},
+						},
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "should pass controlPlaneLoadBalancer targetGroupIPType is the same on update",
+			oldCluster: &AWSCluster{
+				Spec: AWSClusterSpec{
+					ControlPlaneLoadBalancer: &AWSLoadBalancerSpec{
+						LoadBalancerType:  LoadBalancerTypeNLB,
+						TargetGroupIPType: &TargetGroupIPTypeIPv4,
+					},
+				},
+			},
+			newCluster: &AWSCluster{
+				Spec: AWSClusterSpec{
+					ControlPlaneLoadBalancer: &AWSLoadBalancerSpec{
+						LoadBalancerType:  LoadBalancerTypeNLB,
+						TargetGroupIPType: &TargetGroupIPTypeIPv4,
+					},
+				},
+			},
+			wantErr: false,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

api/v1beta2/awscluster_webhook_test.go

@@ -218,6 +218,53 @@ var (
 	TargetGroupAttributeUnhealthyDrainingIntervalSeconds = "target_health_state.unhealthy.draining_interval_seconds"
 )
 
+// TargetGroupIPType defines the IP address type for target groups.
+type TargetGroupIPType string
+
+var (
+	// TargetGroupIPTypeIPv4 defines the IPv4 address type for target groups.
+	TargetGroupIPTypeIPv4 = TargetGroupIPType("ipv4")
+
+	// TargetGroupIPTypeIPv6 defines the IPv6 address type for target groups.
+	TargetGroupIPTypeIPv6 = TargetGroupIPType("ipv6")
+)
+
+func (t TargetGroupIPType) String() string {
+	return string(t)
+}
+
+// Equals returns true if two TargetGroupIPType are equal.
+func (t TargetGroupIPType) Equals(other *TargetGroupIPType) bool {
+	if other == nil {
+		return false
+	}
+
+	return t == *other
+}
+
+// LoadBalancerIPAddressType defines the IP address type for load balancers.
+type LoadBalancerIPAddressType string
+
+// Enum values for LoadBalancerIPAddressType
+const (
+	LoadBalancerIPAddressTypeIPv4                       = LoadBalancerIPAddressType("ipv4")
+	LoadBalancerIPAddressTypeDualstack                  = LoadBalancerIPAddressType("dualstack")
+	LoadBalancerIPAddressTypeDualstackWithoutPublicIPv4 = LoadBalancerIPAddressType("dualstack-without-public-ipv4")
+)
+
+func (t LoadBalancerIPAddressType) String() string {
+	return string(t)
+}
+
+// Equals returns true if two LoadBalancerIPAddressType are equal.
+func (t LoadBalancerIPAddressType) Equals(other *LoadBalancerIPAddressType) bool {
+	if other == nil {
+		return false
+	}
+
+	return t == *other
+}
+
 // LoadBalancerAttribute defines a set of attributes for a V2 load balancer.
 type LoadBalancerAttribute string
 
@@ -243,6 +290,8 @@ type TargetGroupSpec struct {
 	VpcID    string      `json:"vpcId"`
 	// HealthCheck is the elb health check associated with the load balancer.
 	HealthCheck *TargetGroupHealthCheck `json:"targetGroupHealthCheck,omitempty"`
+	// IPType is the IP address type for the target group.
+	IPType TargetGroupIPType `json:"ipType,omitempty"`
 }
 
 // Listener defines an AWS network load balancer listener.
@@ -298,6 +347,10 @@ type LoadBalancer struct {
 	// LoadBalancerType sets the type for a load balancer. The default type is classic.
 	// +kubebuilder:validation:Enum:=classic;elb;alb;nlb
 	LoadBalancerType LoadBalancerType `json:"loadBalancerType,omitempty"`
+
+	// LoadBalancerIPAddressType specifies the IP address type for the load balancer.
+	// +kubebuilder:validation:Enum:=ipv4;dualstack;dualstack-without-public-ipv4
+	LoadBalancerIPAddressType LoadBalancerIPAddressType `json:"loadBalancerIPAddressType,omitempty"`
 }
 
 // IsUnmanaged returns true if the Classic ELB is unmanaged.