MGMT-21201: Enable dual-stack clusters

The lifecycle-agent is a core component responsible for managing Image-Based Upgrades (IBU) and Image-Based Install (IBI) operations in OpenShift Single Node OpenShift (SNO) clusters. It handles critical cluster lifecycle operations including:

- **Network Configuration Management**: Configuring node IPs, machine networks, cluster networks, and service networks during cluster transitions
- **Recertification (Recert)**: Re-signing certificates with updated cluster information (IPs, hostnames, etc.) when transforming seed images into target clusters
- **Post-Pivot Operations**: Managing network setup, DNS configuration, and kubelet configuration after cluster pivot operations
- **Seed Cluster Information**: Capturing and transforming network details from seed clusters for target cluster deployment

Currently, the lifecycle-agent's network handling is designed around single-stack networking, where clusters operate on either IPv4 OR IPv6, but not both simultaneously. All network-related data structures use single string fields (`NodeIP`, `MachineNetwork`) and the logic assumes a single IP address per network interface.

Key components involved:
- `api/seedreconfig`: Defines the `SeedReconfiguration` API for cluster transformation parameters
- `utils/client_helper.go`: Extracts cluster network information from Kubernetes API
- `lca-cli/postpivot`: Handles post-upgrade network configuration and kubelet setup
- `internal/recert`: Manages certificate re-signing with updated network information
- `lca-cli/seedclusterinfo`: Captures seed cluster network details for replication

**[MGMT-21201](https://issues.redhat.com//browse/MGMT-21201)**: The lifecycle-agent needs to support dual-stack networking configurations where OpenShift clusters operate with both IPv4 and IPv6 addresses simultaneously on the same interfaces.

1. **Single IP Assumption**: All network fields (`NodeIP`, `MachineNetwork`) are single strings, preventing multiple IP support
2. **Limited Network Discovery**: Cluster info extraction only captures the first internal IP address
3. **Inadequate Recert Logic**: Certificate re-signing only handles single IP changes
4. **Kubelet Configuration**: Node IP hint generation assumes single network per stack
5. **Missing Test Coverage**: No validation for dual-stack scenarios

- Support IPv4 + IPv6 dual-stack clusters in IBU/IBI operations
- Maintain 100% backward compatibility with existing single-stack configurations
- Handle multiple machine networks per IP family
- Update recert logic to process multiple IP addresses in certificate SANs
- Ensure proper kubelet configuration for dual-stack node IPs

- **Added `NodeIPs []string`** to `SeedReconfiguration` and `SeedClusterInfo` for multiple node IPs
- **Added `MachineNetworks []string`** to support multiple machine network CIDRs
- **Preserved legacy fields** (`NodeIP`, `MachineNetwork`) for backward compatibility with precedence rules

- **Enhanced `GetClusterInfo()`** to discover all internal node IPs via `getNodeInternalIPs()`
- **Added `getMachineNetworks()`** to extract all machine networks from install config
- **Implemented backward compatibility** by populating legacy fields with first array element

- **Updated `setNodeIpHint()`** to generate space-separated IP hints: `KUBELET_NODEIP_HINT=<ip1> <ip2>`
- **Refactored `setNodeIPIfNotProvided()`** to parse kubelet config from `/etc/systemd/system/kubelet.service.d/20-nodenet.conf`
- **Added `parseKubeletNodeIPs()`** function to extract both `KUBELET_NODE_IP` and `KUBELET_NODE_IPS` environment variables
- **Enhanced file validation** to check for both existence AND valid content before triggering `nodeip-configuration` service

- **Implemented `slices.Equal()`** comparison for clean IP change detection
- **Updated config IP format** to comma-separated list: `config.IP = "ip1,ip2"` for multiple addresses
- **Enhanced certificate SAN rules** to include all old and new IP addresses in replacement rules

- ✅ Single-stack IPv4 and IPv6 configurations
- ✅ Dual-stack (IPv4 + IPv6) with both primary orders
- ✅ Multiple networks per IP family
- ✅ Legacy → new field migration scenarios
- ✅ Error handling and edge cases
- ✅ Backward compatibility validation

**100% backward compatibility maintained**:
- Existing single-stack clusters continue to work without modification
- Legacy `NodeIP` and `MachineNetwork` fields preserved and populated
- New fields (`NodeIPs`, `MachineNetworks`) take precedence when specified
- All existing APIs and behavior unchanged for single-stack scenarios

- **All existing tests pass** - no regressions introduced
- **59 new test cases** covering all dual-stack scenarios
- **Production-ready validation** for IPv4, IPv6, and dual-stack configurations
- **Edge case coverage** including empty configs, invalid data, and service interactions

Author: danmanor

api/seedreconfig/seedreconfig.go

@@ -49,8 +49,15 @@ type SeedReconfiguration struct {
 	InfraID string `json:"infra_id,omitempty"`
 
 	// The desired IP address of the SNO node.
+	// Use NodeIPs instead.
 	NodeIP string `json:"node_ip,omitempty"`
 
+	// The desired IP addresses of the SNO node. One for single stack
+	// clusters, and two for dual-stack clusters.
+	// Use this field instead of NodeIP.
+	// +optional
+	NodeIPs []string `json:"node_ips,omitempty"`
+
 	// The container registry used to host the release image of the seed cluster.
 	ReleaseRegistry string `json:"release_registry,omitempty"`
 
@@ -102,8 +109,19 @@ type SeedReconfiguration struct {
 	// MachineNetwork is the subnet provided by user for the ocp cluster.
 	// This will be used to create the node network and choose ip address for the node.
 	// Equivalent to install-config.yaml's machineNetwork.
+	// Use MachineNetworks instead.
 	MachineNetwork string `json:"machine_network,omitempty"`
 
+	// MachineNetworks is the list of subnets provided by user.
+	// For single stack ocp clusters, this will be a single subnet.
+	// For dual-stack ocp clusters, this will be a list of two subnets.
+	// This will be used to create the node network and choose ip addresses for the node.
+	// Equivalent to install-config.yaml's machineNetworks.
+	// Use this field instead of MachineNetwork.
+	// If both MachineNetwork and MachineNetworks are specified, MachineNetworks takes precedence.
+	// +optional
+	MachineNetworks []string `json:"machine_networks,omitempty"`
+
 	// Proxy is the proxy settings for the cluster. Equivalent to
 	// install-config.yaml's proxy. This will replace the proxy settings of the
 	// seed cluster. During IBI, the HTTP and HTTPS and NO proxy settings are

go.sum

@@ -459,7 +459,7 @@ k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f h1:GA7//TjRY9yWGy1poLzYYJ
 k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f/go.mod h1:R/HEjbvWI0qdfb8viZUeVZm0X6IZnxAydC7YU42CMw4=
 k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 h1:M3sRQVHv7vB20Xc2ybTt7ODCeFj6JSWYFzOFnYeS6Ro=
 k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-open-cluster-management.io/api v1.0.0 h1:54QllH9DTudCk6VrGt0q8CDsE3MghqJeTaTN4RHZpE0=
+open-cluster-management.io/api v1.0.0 h1:TQ2Xq/bteFnsUukR4Ty4vmiAaCvenBL3hZXYFYz7q+U=
 open-cluster-management.io/api v1.0.0/go.mod h1:/OeqXycNBZQoe3WG6ghuWsMgsKGuMZrK8ZpsU6gWL0Y=
 open-cluster-management.io/config-policy-controller v0.16.0 h1:hIrgTvJXYRuYZ+Gph4EPq+8heQKczWlCSSctGQVi6OI=
 open-cluster-management.io/config-policy-controller v0.16.0/go.mod h1:NEl+/esHnMIbRRwndgBqzILqL+nro2mbrcDowZHSMZk=

internal/clusterconfig/clusterconfig.go

@@ -309,6 +309,7 @@ func SeedReconfigurationFromClusterInfo(
 		ClusterID:                 clusterInfo.ClusterID,
 		InfraID:                   infraID,
 		NodeIP:                    clusterInfo.NodeIP,
+		NodeIPs:                   clusterInfo.NodeIPs,
 		ReleaseRegistry:           clusterInfo.ReleaseRegistry,
 		Hostname:                  clusterInfo.Hostname,
 		KubeconfigCryptoRetention: *kubeconfigCryptoRetention,
@@ -320,6 +321,7 @@ func SeedReconfigurationFromClusterInfo(
 		StatusProxy:               statusProxy,
 		InstallConfig:             installConfig,
 		MachineNetwork:            clusterInfo.MachineNetwork,
+		MachineNetworks:           clusterInfo.MachineNetworks,
 		ChronyConfig:              chronyConfig,
 		AdditionalTrustBundle: seedreconfig.AdditionalTrustBundle{
 			UserCaBundle:         additionalTrustBundle.UserCaBundle,

internal/clusterconfig/clusterconfig_dualstack_test.go

@@ -0,0 +1,205 @@
+package clusterconfig
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/openshift-kni/lifecycle-agent/lca-cli/seedclusterinfo"
+	"github.com/openshift-kni/lifecycle-agent/utils"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestSeedReconfigurationDifferentStack(t *testing.T) {
+	testcases := []struct {
+		name                    string
+		clusterInfo             *utils.ClusterInfo
+		expectedNodeIP          string
+		expectedNodeIPs         []string
+		expectedMachineNetworks []string
+	}{
+		{
+			name: "Single-stack IPv4",
+			clusterInfo: &utils.ClusterInfo{
+				OCPVersion:      "4.15.0",
+				BaseDomain:      "example.com",
+				ClusterName:     "test-cluster",
+				NodeIP:          "192.168.1.10",
+				NodeIPs:         []string{"192.168.1.10"},
+				MachineNetwork:  "192.168.1.0/24",
+				MachineNetworks: []string{"192.168.1.0/24"},
+				ClusterNetworks: []string{"10.244.0.0/16"},
+				ServiceNetworks: []string{"10.96.0.0/16"},
+				Hostname:        "test-node",
+			},
+			expectedNodeIP:          "192.168.1.10",
+			expectedNodeIPs:         []string{"192.168.1.10"},
+			expectedMachineNetworks: []string{"192.168.1.0/24"},
+		},
+		{
+			name: "Single-stack IPv6",
+			clusterInfo: &utils.ClusterInfo{
+				OCPVersion:      "4.15.0",
+				BaseDomain:      "example.com",
+				ClusterName:     "test-cluster",
+				NodeIP:          "2001:db8::10",
+				NodeIPs:         []string{"2001:db8::10"},
+				MachineNetwork:  "2001:db8::/64",
+				MachineNetworks: []string{"2001:db8::/64"},
+				ClusterNetworks: []string{"2001:db8:1::/64"},
+				ServiceNetworks: []string{"2001:db8:2::/64"},
+				Hostname:        "test-node",
+			},
+			expectedNodeIP:          "2001:db8::10",
+			expectedNodeIPs:         []string{"2001:db8::10"},
+			expectedMachineNetworks: []string{"2001:db8::/64"},
+		},
+		{
+			name: "Dual-stack IPv4 primary",
+			clusterInfo: &utils.ClusterInfo{
+				OCPVersion:      "4.15.0",
+				BaseDomain:      "example.com",
+				ClusterName:     "test-cluster",
+				NodeIP:          "192.168.1.10",
+				NodeIPs:         []string{"192.168.1.10", "2001:db8::10"},
+				MachineNetwork:  "192.168.1.0/24",
+				MachineNetworks: []string{"192.168.1.0/24", "2001:db8::/64"},
+				ClusterNetworks: []string{"10.244.0.0/16", "2001:db8:1::/64"},
+				ServiceNetworks: []string{"10.96.0.0/16", "2001:db8:2::/64"},
+				Hostname:        "test-node",
+			},
+			expectedNodeIP:          "192.168.1.10",
+			expectedNodeIPs:         []string{"192.168.1.10", "2001:db8::10"},
+			expectedMachineNetworks: []string{"192.168.1.0/24", "2001:db8::/64"},
+		},
+		{
+			name: "Dual-stack IPv6 primary",
+			clusterInfo: &utils.ClusterInfo{
+				OCPVersion:      "4.15.0",
+				BaseDomain:      "example.com",
+				ClusterName:     "test-cluster",
+				NodeIP:          "2001:db8::10",
+				NodeIPs:         []string{"2001:db8::10", "192.168.1.10"},
+				MachineNetwork:  "2001:db8::/64",
+				MachineNetworks: []string{"2001:db8::/64", "192.168.1.0/24"},
+				ClusterNetworks: []string{"2001:db8:1::/64", "10.244.0.0/16"},
+				ServiceNetworks: []string{"2001:db8:2::/64", "10.96.0.0/16"},
+				Hostname:        "test-node",
+			},
+			expectedNodeIP:          "2001:db8::10",
+			expectedNodeIPs:         []string{"2001:db8::10", "192.168.1.10"},
+			expectedMachineNetworks: []string{"2001:db8::/64", "192.168.1.0/24"},
+		},
+	}
+
+	for _, tc := range testcases {
+		t.Run(tc.name, func(t *testing.T) {
+			// Create SeedClusterInfo from ClusterInfo
+			seedClusterInfo := seedclusterinfo.NewFromClusterInfo(
+				tc.clusterInfo,
+				"quay.io/example/seed:latest",
+				false, // hasProxy
+				false, // hasFIPS
+				nil,   // additionalTrustBundle
+				"",    // containerStorageMountpointTarget
+				"",    // ingressCertificateCN
+			)
+
+			// The SeedReconfiguration would be created from this SeedClusterInfo
+			// For testing purposes, we verify that the SeedClusterInfo contains the expected data
+			assert.Equal(t, tc.expectedNodeIP, seedClusterInfo.NodeIP)
+			assert.Equal(t, tc.expectedNodeIPs, seedClusterInfo.NodeIPs)
+			assert.Equal(t, tc.expectedMachineNetworks, seedClusterInfo.MachineNetworks)
+
+			// Verify that backward compatibility is maintained
+			if len(tc.expectedNodeIPs) > 0 {
+				assert.Equal(t, tc.expectedNodeIPs[0], seedClusterInfo.NodeIP, "First NodeIP should match legacy NodeIP field")
+			}
+			if len(tc.expectedMachineNetworks) > 0 {
+				// Note: SeedClusterInfo doesn't have a single MachineNetwork field, only MachineNetworks slice
+				assert.Contains(t, seedClusterInfo.MachineNetworks, tc.expectedMachineNetworks[0], "First machine network should be in the list")
+			}
+		})
+	}
+}
+
+func TestIPStackTypeDetermination(t *testing.T) {
+	testcases := []struct {
+		name        string
+		nodeIPs     []string
+		description string
+		stackType   string
+	}{
+		{
+			name:        "Single-stack IPv4",
+			nodeIPs:     []string{"192.168.1.10"},
+			description: "Only IPv4 address",
+			stackType:   "IPv4",
+		},
+		{
+			name:        "Single-stack IPv6",
+			nodeIPs:     []string{"2001:db8::10"},
+			description: "Only IPv6 address",
+			stackType:   "IPv6",
+		},
+		{
+			name:        "Dual-stack IPv4 primary",
+			nodeIPs:     []string{"192.168.1.10", "2001:db8::10"},
+			description: "IPv4 and IPv6, IPv4 first",
+			stackType:   "dual-stack",
+		},
+		{
+			name:        "Dual-stack IPv6 primary",
+			nodeIPs:     []string{"2001:db8::10", "192.168.1.10"},
+			description: "IPv4 and IPv6, IPv6 first",
+			stackType:   "dual-stack",
+		},
+		{
+			name:        "Multiple IPv4 addresses",
+			nodeIPs:     []string{"192.168.1.10", "10.0.0.5", "172.16.1.10"},
+			description: "Multiple IPv4 addresses",
+			stackType:   "IPv4",
+		},
+		{
+			name:        "Multiple IPv6 addresses",
+			nodeIPs:     []string{"2001:db8::10", "2001:db9::20"},
+			description: "Multiple IPv6 addresses",
+			stackType:   "IPv6",
+		},
+		{
+			name:        "Complex dual-stack",
+			nodeIPs:     []string{"192.168.1.10", "2001:db8::10", "10.0.0.5", "2001:db9::20"},
+			description: "Multiple IPv4 and IPv6 addresses",
+			stackType:   "dual-stack",
+		},
+	}
+
+	for _, tc := range testcases {
+		t.Run(tc.name, func(t *testing.T) {
+			// Helper function to determine IP stack type
+			stackType := determineIPStackType(tc.nodeIPs)
+			assert.Equal(t, tc.stackType, stackType, tc.description)
+		})
+	}
+}
+
+// Helper function to determine IP stack type for testing
+func determineIPStackType(ips []string) string {
+	hasIPv4 := false
+	hasIPv6 := false
+
+	for _, ip := range ips {
+		if strings.Contains(ip, ":") {
+			hasIPv6 = true
+		} else {
+			hasIPv4 = true
+		}
+	}
+
+	if hasIPv4 && hasIPv6 {
+		return "dual-stack"
+	} else if hasIPv6 {
+		return "IPv6"
+	} else {
+		return "IPv4"
+	}
+}

internal/recert/recert.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"slices"
 	"strings"
 
 	"github.com/openshift-kni/lifecycle-agent/api/seedreconfig"
@@ -14,6 +15,28 @@ import (
 	"golang.org/x/crypto/bcrypt"
 )
 
+// getAllNodeIPsFromSeedReconfig returns all node IPs with backward compatibility
+func getAllNodeIPsFromSeedReconfig(seedReconfig *seedreconfig.SeedReconfiguration) []string {
+	if len(seedReconfig.NodeIPs) > 0 {
+		return seedReconfig.NodeIPs
+	}
+	if seedReconfig.NodeIP != "" {
+		return []string{seedReconfig.NodeIP}
+	}
+	return []string{}
+}
+
+// getAllNodeIPsFromSeedClusterInfo returns all node IPs from seed cluster info
+func getAllNodeIPsFromSeedClusterInfo(seedClusterInfo *seedclusterinfo.SeedClusterInfo) []string {
+	if len(seedClusterInfo.NodeIPs) > 0 {
+		return seedClusterInfo.NodeIPs
+	}
+	if seedClusterInfo.NodeIP != "" {
+		return []string{seedClusterInfo.NodeIP}
+	}
+	return []string{}
+}
+
 const (
 	RecertConfigFile = "recert_config.json"
 	SummaryFile      = "/var/tmp/recert-summary.yaml"
@@ -121,8 +144,12 @@ func CreateRecertConfigFile(seedReconfig *seedreconfig.SeedReconfiguration, seed
 		config.Hostname = seedReconfig.Hostname
 	}
 
-	if seedReconfig.NodeIP != seedClusterInfo.NodeIP {
-		config.IP = seedReconfig.NodeIP
+	allSeedNodeIPs := getAllNodeIPsFromSeedClusterInfo(seedClusterInfo)
+	allNodeIPs := getAllNodeIPsFromSeedReconfig(seedReconfig)
+
+	ipsChanged := !slices.Equal(allSeedNodeIPs, allNodeIPs)
+	if ipsChanged && len(allNodeIPs) > 0 {
+		config.IP = strings.Join(allNodeIPs, ",")
 	}
 
 	config.Proxy = FormatRecertProxyFromSeedReconfigProxy(seedReconfig.Proxy, seedReconfig.StatusProxy)
@@ -168,12 +195,19 @@ func CreateRecertConfigFile(seedReconfig *seedreconfig.SeedReconfiguration, seed
 	config.CNSanReplaceRules = []string{
 		fmt.Sprintf("system:node:%s,system:node:%s", seedClusterInfo.SNOHostname, seedReconfig.Hostname),
 		fmt.Sprintf("%s,%s", seedClusterInfo.SNOHostname, seedReconfig.Hostname),
-		fmt.Sprintf("%s,%s", seedClusterInfo.NodeIP, seedReconfig.NodeIP),
 		fmt.Sprintf("api.%s,api.%s", seedFullDomain, clusterFullDomain),
 		fmt.Sprintf("api-int.%s,api-int.%s", seedFullDomain, clusterFullDomain),
 		fmt.Sprintf("*.apps.%s,*.apps.%s", seedFullDomain, clusterFullDomain),
 	}
-	// check if there is an ingress CN provided for backwards compatibility
+
+	if len(allSeedNodeIPs) == len(allNodeIPs) {
+		for i := range allSeedNodeIPs {
+			config.CNSanReplaceRules = append(
+				config.CNSanReplaceRules, fmt.Sprintf("%s,%s", allSeedNodeIPs[i], allNodeIPs[i]),
+			)
+		}
+	}
+
 	if seedReconfig.KubeconfigCryptoRetention.IngresssCrypto.IngressCertificateCN != "" {
 		config.CNSanReplaceRules = append(config.CNSanReplaceRules,
 			fmt.Sprintf("%s,%s", seedClusterInfo.IngressCertificateCN, seedReconfig.KubeconfigCryptoRetention.IngresssCrypto.IngressCertificateCN))