cybozu-go
diff --git a/‎.github/workflows/ci.yaml‎
Lines changed: 20 additions & 6 deletions b/‎.github/workflows/ci.yaml‎
Lines changed: 20 additions & 6 deletions
diff --git a/‎v2/config/default/egress/v4/kustomization.yaml‎
Lines changed: 0 additions & 1 deletion b/‎v2/config/default/egress/v4/kustomization.yaml‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎v2/config/default/egress/v6/kustomization.yaml‎
Lines changed: 0 additions & 1 deletion b/‎v2/config/default/egress/v6/kustomization.yaml‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎v2/controllers/egress_controller.go‎
Lines changed: 2 additions & 0 deletions b/‎v2/controllers/egress_controller.go‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎v2/controllers/egress_watcher.go‎
Lines changed: 20 additions & 27 deletions b/‎v2/controllers/egress_watcher.go‎
Lines changed: 20 additions & 27 deletions
diff --git a/‎v2/e2e/Makefile‎
Lines changed: 40 additions & 6 deletions b/‎v2/e2e/Makefile‎
Lines changed: 40 additions & 6 deletions
@@ -45,7 +45,18 @@ jobs:
       matrix:
         kindest-node: ["1.29.12", "1.30.8", "1.31.4"]
         with-ipam: ["false", "true"]
+        ipv4: ["false", "true"]
         ipv6: ["false", "true"]
+        ipv6-primary: ["false", "true"]
+        exclude:
+        - ipv4: "false"
+          ipv6: "false"        
+        - ipv4: "false"
+          ipv6: "true"
+          ipv6-primary: "true"
+        - ipv4: "true"
+          ipv6: "false"
+          ipv6-primary: "true"
     runs-on: ubuntu-24.04
     steps:
     - uses: actions/checkout@v4
@@ -64,30 +75,33 @@ jobs:
         sudo systemctl restart docker.service
         sleep 10
         echo TEST_IPV6=true >> $GITHUB_ENV
-    - run: make start KUBERNETES_VERSION=${{ matrix.kindest-node }} WITH_KINDNET=false TEST_IPV6=${{ matrix.ipv6 }}
+    - run: make start KUBERNETES_VERSION=${{ matrix.kindest-node }} WITH_KINDNET=false TEST_IPV4=${{ matrix.ipv4 }} TEST_IPV6=${{ matrix.ipv6 }} IPV6_PRIMARY=${{ matrix.ipv6-primary }}
       if: matrix.with-ipam == 'true'
       working-directory: v2/e2e
-    - run: make start KUBERNETES_VERSION=${{ matrix.kindest-node }} WITH_KINDNET=true TEST_IPV6=${{ matrix.ipv6 }}
+    - run: make start KUBERNETES_VERSION=${{ matrix.kindest-node }} WITH_KINDNET=true TEST_IPV4=${{ matrix.ipv4 }} TEST_IPV6=${{ matrix.ipv6 }} IPV6_PRIMARY=${{ matrix.ipv6-primary }}
       if: matrix.with-ipam == 'false'
       working-directory: v2/e2e
     - run: make install-coil
       if: matrix.with-ipam == 'true'
       working-directory: v2/e2e
     - run: make install-coil-egress-v4
-      if: matrix.with-ipam == 'false' && matrix.ipv6 == 'false'
+      if: matrix.with-ipam == 'false' && matrix.ipv4 == 'true' && matrix.ipv6 == 'false'
       working-directory: v2/e2e
     - run: make install-coil-egress-v6
-      if: matrix.with-ipam == 'false' && matrix.ipv6 == 'true'
+      if: matrix.with-ipam == 'false' && matrix.ipv4 == 'false' && matrix.ipv6 == 'true'
       working-directory: v2/e2e
-    - run: make test TEST_IPAM=${{ matrix.with-ipam }} TEST_EGRESS=true TEST_IPV6=${{ matrix.ipv6 }}
+    - run: make install-coil-egress-dualstack
+      if: matrix.with-ipam == 'false' && matrix.ipv4 == 'true' && matrix.ipv6 == 'true'
+      working-directory: v2/e2e
+    - run: make test TEST_IPAM=${{ matrix.with-ipam }} TEST_EGRESS=true TEST_IPV4=${{ matrix.ipv4 }} TEST_IPV6=${{ matrix.ipv6 }}
       working-directory: v2/e2e
     - run: make logs
       working-directory: v2/e2e
       if: always()
     - uses: actions/upload-artifact@v4
       if: always()
       with:
-        name: logs-ipv6-${{ matrix.ipv6 }}-with-ipam-${{ matrix.with-ipam }}-${{ matrix.kindest-node }}.tar.gz
+        name: logs-ipv4-${{ matrix.ipv4 }}-ipv6-${{ matrix.ipv6 }}-with-ipam-${{ matrix.with-ipam }}-ipv6-primary-${{ matrix.ipv6-primary }}-${{ matrix.kindest-node }}.tar.gz
         path: v2/e2e/logs.tar.gz
   certs-generation:
     name: Cert generation test
 
@@ -14,7 +14,6 @@ generatorOptions:
 secretGenerator:
 # [EGRESS] Following lines be uncommented to enable Egress NAT features.
 - name: coilv2-egress-webhook-server-cert
-# [CERTS] Following lines should be commented if automatic cert generation is used.
   files:
   - ca.crt=../../cert.pem
   - tls.crt=../../egress-cert.pem
 
@@ -14,7 +14,6 @@ generatorOptions:
 secretGenerator:
 # [EGRESS] Following lines be uncommented to enable Egress NAT features.
 - name: coilv2-egress-webhook-server-cert
-# [CERTS] Following lines should be commented if automatic cert generation is used.
   files:
   - ca.crt=../../cert.pem
   - tls.crt=../../egress-cert.pem
 
@@ -360,6 +360,8 @@ func (r *EgressReconciler) reconcileService(ctx context.Context, log logr.Logger
 			eg.Spec.SessionAffinityConfig.DeepCopyInto(sac)
 			svc.Spec.SessionAffinityConfig = sac
 		}
+		svc.Spec.IPFamilyPolicy = new(corev1.IPFamilyPolicy)
+		*svc.Spec.IPFamilyPolicy = corev1.IPFamilyPolicyPreferDualStack
 
 		return nil
 	})
 
@@ -109,7 +109,7 @@ func (r *EgressWatcher) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.R
 }
 
 func (r *EgressWatcher) reconcileEgressClient(ctx context.Context, eg *coilv2.Egress, pod *corev1.Pod, logger *logr.Logger) error {
-	hook, err := r.getHook(ctx, eg, logger)
+	hooks, err := r.getHook(ctx, eg, logger)
 	if err != nil {
 		return fmt.Errorf("failed to setup NAT hook: %w", err)
 	}
@@ -125,8 +125,11 @@ func (r *EgressWatcher) reconcileEgressClient(ctx context.Context, eg *coilv2.Eg
 			ipv6 = ip.To16()
 		}
 	}
-	if err := r.PodNet.Update(ipv4, ipv6, hook, pod); err != nil {
-		return fmt.Errorf("failed to update NAT configuration: %w", err)
+
+	for _, hook := range hooks {
+		if err := r.PodNet.Update(ipv4, ipv6, hook, pod); err != nil {
+			return fmt.Errorf("failed to update NAT configuration: %w", err)
+		}
 	}
 
 	return nil
@@ -138,49 +141,39 @@ type gwNets struct {
 	sportAuto bool
 }
 
-func (r *EgressWatcher) getHook(ctx context.Context, eg *coilv2.Egress, logger *logr.Logger) (nodenet.SetupHook, error) {
+func (r *EgressWatcher) getHook(ctx context.Context, eg *coilv2.Egress, logger *logr.Logger) ([]nodenet.SetupHook, error) {
 	var gw gwNets
 	svc := &corev1.Service{}
 
 	if err := r.Get(ctx, client.ObjectKey{Namespace: eg.Namespace, Name: eg.Name}, svc); err != nil {
 		return nil, err
 	}
 
-	// See getHook in coild_server.go
-	svcIP := net.ParseIP(svc.Spec.ClusterIP)
-	if svcIP == nil {
-		return nil, fmt.Errorf("invalid ClusterIP in Service %s %s", eg.Name, svc.Spec.ClusterIP)
-	}
-	var subnets []*net.IPNet
-	if ip4 := svcIP.To4(); ip4 != nil {
-		svcIP = ip4
-		for _, sn := range eg.Spec.Destinations {
-			_, subnet, err := net.ParseCIDR(sn)
-			if err != nil {
-				return nil, fmt.Errorf("invalid network in Egress %s", eg.Name)
-			}
-			if subnet.IP.To4() != nil {
-				subnets = append(subnets, subnet)
-			}
+	hooks := []nodenet.SetupHook{}
+	for _, clusterIP := range svc.Spec.ClusterIPs {
+		var subnets []*net.IPNet
+		svcIP := net.ParseIP(clusterIP)
+		if svcIP == nil {
+			return nil, fmt.Errorf("invalid ClusterIP in Service %s %s", eg.Name, svc.Spec.ClusterIP)
 		}
-	} else {
+
 		for _, sn := range eg.Spec.Destinations {
 			_, subnet, err := net.ParseCIDR(sn)
 			if err != nil {
 				return nil, fmt.Errorf("invalid network in Egress %s", eg.Name)
 			}
-			if subnet.IP.To4() == nil {
+			if (svcIP.To4() != nil) == (subnet.IP.To4() != nil) {
 				subnets = append(subnets, subnet)
 			}
 		}
-	}
 
-	if len(subnets) > 0 {
-		gw = gwNets{gateway: svcIP, networks: subnets, sportAuto: eg.Spec.FouSourcePortAuto}
-		return r.hook(gw, logger), nil
+		if len(subnets) > 0 {
+			gw = gwNets{gateway: svcIP, networks: subnets, sportAuto: eg.Spec.FouSourcePortAuto}
+			hooks = append(hooks, r.hook(gw, logger))
+		}
 	}
 
-	return nil, nil
+	return hooks, nil
 }
 
 func (r *EgressWatcher) hook(gwn gwNets, log *logr.Logger) func(ipv4, ipv6 net.IP) error {
 
@@ -10,10 +10,26 @@ export KUBECTL
 
 KIND_CONFIG = kind-config.yaml
 ifeq ($(TEST_IPV6),true)
-	ifeq ($(WITH_KINDNET),true)
-		KIND_CONFIG = kind-config_kindnet_v6.yaml
-	else 
-		KIND_CONFIG = kind-config_v6.yaml
+	ifeq ($(TEST_IPV4),true)
+		ifeq ($(IPV6_PRIMARY),true)
+			ifeq ($(WITH_KINDNET),true)
+				KIND_CONFIG = kind-config_dualstack_v6_kindnet.yaml
+			else 
+				KIND_CONFIG = kind-config_dualstack_v6.yaml
+			endif
+		else
+			ifeq ($(WITH_KINDNET),true)
+				KIND_CONFIG = kind-config_dualstack_kindnet.yaml
+			else 
+				KIND_CONFIG = kind-config_dualstack.yaml
+			endif
+		endif
+	else
+		ifeq ($(WITH_KINDNET),true)
+			KIND_CONFIG = kind-config_kindnet_v6.yaml
+		else 
+			KIND_CONFIG = kind-config_v6.yaml
+		endif
 	endif
 else
 	ifeq ($(WITH_KINDNET),true)
@@ -50,7 +66,7 @@ install-coil-egress-v4: setup-nodes
 	$(KUBECTL) -n kube-system wait --timeout=3m --for=condition=available deployment/coil-egress-controller
 	$(KUBECTL) -n kube-system wait --timeout=3m --for=condition=available deployment/coil-egress-controller
 	$(KUBECTL) rollout status daemonset coild -n kube-system --timeout=3m
-	./kindnet-conf --action set --file 10-coil.conflist
+	./kindnet-conf --action set --cni-config 10-coil.conflist
 	rm -rf tmp kindnet-conf
 
 .PHONY: install-coil-egress-v6
@@ -65,7 +81,24 @@ install-coil-egress-v6: setup-nodes
 	$(KUBECTL) -n kube-system wait --timeout=3m --for=condition=available deployment/coil-egress-controller
 	$(KUBECTL) -n kube-system wait --timeout=3m --for=condition=available deployment/coil-egress-controller
 	$(KUBECTL) rollout status daemonset coild -n kube-system --timeout=3m
-	./kindnet-conf --action set --file 10-coil.conflist --protocol v6
+	./kindnet-conf --action set --cni-config 10-coil.conflist --protocol v6
+	rm -rf tmp kindnet-conf
+
+.PHONY: install-coil-egress-v6
+install-coil-egress-dualstack: setup-nodes
+	rm -rf tmp
+	mkdir tmp 2> /dev/null
+	$(KUBECTL) rollout status daemonset kindnet -n kube-system --timeout 120s
+	CGO_ENABLED=0 go build -o kindnet-conf ./kindnet-configurer
+	./kindnet-conf --action get --protocol v4
+	./kindnet-conf --action get --protocol v6
+	$(KIND) load docker-image --name coil coil:dev
+	$(KUSTOMIZE) build --load-restrictor=LoadRestrictionsNone configs/egress/dualstack | $(KUBECTL) apply -f -
+	$(KUBECTL) -n kube-system wait --timeout=3m --for=condition=available deployment/coil-egress-controller
+	$(KUBECTL) -n kube-system wait --timeout=3m --for=condition=available deployment/coil-egress-controller
+	$(KUBECTL) rollout status daemonset coild -n kube-system --timeout=3m
+	./kindnet-conf --action set --cni-config 10-coil.conflist --protocol v4
+	./kindnet-conf --action set --cni-config 10-coil.conflist --protocol v6
 	rm -rf tmp kindnet-conf
 
 .PHONY: setup-nodes
@@ -105,6 +138,7 @@ enable-certs-rotation:
 	@sed -i "9,21 {s/^# //}" kustomization.yaml
 	@sed -i "18,24 {s/^# //}" configs/egress/v4/kustomization.yaml
 	@sed -i "18,24 {s/^# //}" configs/egress/v6/kustomization.yaml
+	@sed -i "18,24 {s/^# //}" configs/egress/dualstack/kustomization.yaml
 	@sed -i -E 's/^(- coil-.*controller_role\.yaml)/# \1/g' ../config/rbac/kustomization.yaml
 	@sed -i -E 's/^# (- coil-.*controller-certs_role\.yaml)/\1/g' ../config/rbac/kustomization.yaml
 	@sed -i -E 's/^(- \.\.\/coil-.*controller_role\.yaml)/# \1/g' ../config/rbac/egress/kustomization.yaml
Original file line number	Diff line number	Diff line change
`@@ -360,6 +360,8 @@ func (r *EgressReconciler) reconcileService(ctx context.Context, log logr.Logger`
`360`	`360`	`eg.Spec.SessionAffinityConfig.DeepCopyInto(sac)`
`361`	`361`	`svc.Spec.SessionAffinityConfig = sac`
`362`	`362`	`}`
	`363`	`+ svc.Spec.IPFamilyPolicy = new(corev1.IPFamilyPolicy)`
	`364`	`+ *svc.Spec.IPFamilyPolicy = corev1.IPFamilyPolicyPreferDualStack`
`363`	`365`
`364`	`366`	`return nil`
`365`	`367`	`})`