MGMT-21200: Enable dual-stack

Author: danmanor

.gitignore

@@ -2,4 +2,3 @@
 /backup/
 /summary.yaml
 /summary_redacted.yaml
-

hack/dummy_config.yaml

@@ -42,7 +42,9 @@ use_cert_rules:
     -----END CERTIFICATE-----
 cluster_rename: new-name:foo.com:some-random-infra-id
 hostname: test.hostname
-ip: 192.168.126.99
+ip:
+  - 192.168.126.99
+  - 2001:db8::99
 # proxy: http://registry.kni-qe-0.lab.eng.rdu2.redhat.com:3128|http://registry.kni-qe-0.lab.eng.rdu2.redhat.com:3130|.cluster.local,.kni-qe-2.lab.eng.rdu2.redhat.com,.svc,127.0.0.1,2620:52:0:11c::/64,2620:52:0:11c::1,2620:52:0:11c::10,2620:52:0:11c::11,2620:52:0:199::/64,api-int.kni-qe-2.lab.eng.rdu2.redhat.com,fd01::/48,fd02::/112,localhost|http://registry.kni-qe-0.lab.eng.rdu2.redhat.com:3128|http://registry.kni-qe-0.lab.eng.rdu2.redhat.com:3130|.cluster.local,.kni-qe-2.lab.eng.rdu2.redhat.com,.svc,127.0.0.1,2620:52:0:11c::/64,2620:52:0:11c::1,2620:52:0:11c::10,2620:52:0:11c::11,2620:52:0:199::/64,api-int.kni-qe-2.lab.eng.rdu2.redhat.com,fd01::/48,fd02::/112,localhost,moreproxy
 install_config: |
     additionalTrustBundlePolicy: Proxyonly
@@ -69,18 +71,24 @@ install_config: |
       clusterNetwork:
       - cidr: 10.128.0.0/14
         hostPrefix: 23
+      - cidr: fd01::/48
+        hostPrefix: 64
       machineNetwork:
-      - cidr: 192.168.126.0/24
+      - cidr: 192.168.128.0/24
+      - cidr: 1001:db8::/120
       networkType: OVNKubernetes
       serviceNetwork:
       - 172.30.0.0/16
+      - fd02::/112
     platform:
       none: {}
     publish: External
     pullSecret: ""
     sshKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDThIOETj6iTvbCaNv15tZg121nWLcwtJuZofc1QS5iAdw8C8fN2R39cSW/ambikl2Fr6YNBBVR3znbtmattOyWyxAOFUfdY0aw0MqZb4LWLf04q6X0KsWIYWaV3ol0KxTzgvX38i/IU42XQfJwMYFE8dQ15TZ7l+FTKKi3SUPXLuy/9CXRfaCDZ2dKMcCkelkTr0KR1HdjiKQ86rMfk9JUbAf7D29aAQq4h1WNnHMM9vnbqN7MW9L8ebn/lCTJjGQ56r0UmurgyIEMt0P+CGp1e4AUNKYsPoYFB0GNwUkr/rB8LeuCOaZcoWdYXlUJaN45GjtCDon56+AoMA9V8tYkV6HqyFwGQjoGKI1cRCHXDJnGyAbMd9OK94TWJmNvtdHkbSURHyw2G7otZpAkRuEvMP0C7R+3JmuxrDA8yaUgWvgccqGcmFl1krClksW6KrAXNlwhZ4QOAMhDrXwwPfOOQoG82zPpg+g9gZQIhkro1Cje4bmWz5z5fiuDloTq1vc=
       root@edge-01.edge.lab.eng.rdu2.redhat.com
-machine_network_cidr: 192.168.127.0/24
+machine_network_cidr:
+  - 192.168.128.0/24
+  - 1001:db8::/120
 kubeadmin_password_hash: "$2a$10$20Q4iRLy7cWZkjn/D07bF.RZQZonKwstyRGH0qiYbYRkx5Pe4Ztyi"
 # proxy_trusted_ca_bundle: 'user-ca-bundle:'
 # user_ca_bundle: |

src/config.rs

@@ -42,15 +42,15 @@ pub(crate) struct ClusterCustomizations {
     pub(crate) files: Vec<ConfigPath>,
     pub(crate) cluster_rename: Option<ClusterNamesRename>,
     pub(crate) hostname: Option<String>,
-    pub(crate) ip: Option<String>,
+    pub(crate) ip: Option<Vec<String>>,
     pub(crate) proxy: Option<Proxy>,
     pub(crate) install_config: Option<String>,
     pub(crate) kubeadmin_password_hash: Option<String>,
     #[serde(serialize_with = "redact")]
     pub(crate) pull_secret: Option<String>,
     pub(crate) user_ca_bundle: Option<String>,
     pub(crate) proxy_trusted_ca_bundle: Option<ProxyAdditionalTrustBundle>,
-    pub(crate) machine_network_cidr: Option<String>,
+    pub(crate) machine_network_cidr: Option<Vec<String>>,
     pub(crate) chrony_config: Option<String>,
 }
 
@@ -223,7 +223,17 @@ impl RecertConfig {
             None => None,
         };
         let ip = match value.remove("ip") {
-            Some(value) => Some(value.as_str().context("ip must be a string")?.to_string()),
+            Some(value) => {
+                if let Some(array) = value.as_array() {
+                    // Handle array of IPs for dual stack
+                    Some(array.iter().map(|v| -> Result<String, anyhow::Error> { Ok(v.as_str().context("ip array element must be a string")?.to_string()) }).collect::<Result<Vec<_>, _>>()?)
+                } else if let Some(single_ip) = value.as_str() {
+                    // Handle single IP for backward compatibility
+                    Some(vec![single_ip.to_string()])
+                } else {
+                    anyhow::bail!("ip must be a string or array of strings");
+                }
+            },
             None => None,
         };
         let pull_secret = match value.remove("pull_secret") {
@@ -261,7 +271,17 @@ impl RecertConfig {
             None => None,
         };
         let machine_network_cidr = match value.remove("machine_network_cidr") {
-            Some(value) => Some(value.as_str().context("machine_network_cidr must be a string")?.to_string()),
+            Some(value) => {
+                if let Some(array) = value.as_array() {
+                    // Handle array of CIDRs for dual stack
+                    Some(array.iter().map(|v| -> Result<String, anyhow::Error> { Ok(v.as_str().context("machine_network_cidr array element must be a string")?.to_string()) }).collect::<Result<Vec<_>, _>>()?)
+                } else if let Some(single_cidr) = value.as_str() {
+                    // Handle single CIDR for backward compatibility
+                    Some(vec![single_cidr.to_string()])
+                } else {
+                    anyhow::bail!("machine_network_cidr must be a string or array of strings");
+                }
+            },
             None => None,
         };
         let chrony_config = match value.remove("chrony_config") {
@@ -429,14 +449,14 @@ impl RecertConfig {
                 },
                 cluster_rename: cli.cluster_rename,
                 hostname: cli.hostname,
-                ip: cli.ip,
+                ip: if cli.ip.is_empty() { None } else { Some(cli.ip) },
                 proxy: cli.proxy,
                 install_config: cli.install_config,
                 kubeadmin_password_hash: cli.kubeadmin_password_hash,
                 pull_secret: cli.pull_secret,
                 user_ca_bundle: cli.user_ca_bundle,
                 proxy_trusted_ca_bundle: cli.proxy_trusted_ca_bundle,
-                machine_network_cidr: cli.machine_network_cidr,
+                machine_network_cidr: if cli.machine_network_cidr.is_empty() { None } else { Some(cli.machine_network_cidr) },
                 chrony_config: cli.chrony_config,
             },
             encryption_customizations: EncryptionCustomizations {

src/config/cli.rs

@@ -97,9 +97,9 @@ pub(crate) struct Cli {
     pub(crate) hostname: Option<String>,
 
     /// If given, the cluster resources that include the IP address will be modified to use this
-    /// one instead.
+    /// one instead. For dual stack, provide multiple IP addresses (IPv4 first).
     #[clap(long)]
-    pub(crate) ip: Option<String>,
+    pub(crate) ip: Vec<String>,
 
     /// If given, the cluster's HTTP proxy configuration will be modified to use this one instead.
     #[clap(long, value_parser = Proxy::parse)]
@@ -150,10 +150,11 @@ pub(crate) struct Cli {
 
     /// The CIDR of the machine network. If given, the machine network CIDR which appears in the
     /// install-config found in the cluster-config-v1 configmaps will be modified to use this
-    /// machine CIDR. WARNING: If a different machine network CIDR is stated in the
+    /// machine CIDR. For dual stack, provide multiple IPv4 and IPv6 CIDRs (IPv4 first).
+    /// WARNING: If a different machine network CIDR is stated in the
     /// --install-config parameter, it might overwrite the one given here.
     #[clap(long)]
-    pub(crate) machine_network_cidr: Option<String>,
+    pub(crate) machine_network_cidr: Vec<String>,
 
     /// If given, the cluster resources that include chrony.config be modified to have this value.
     #[clap(long)]

src/etcd_encoding.rs

@@ -5,7 +5,7 @@ use super::protobuf_gen::{
             admissionregistration::v1::{MutatingWebhookConfiguration, ValidatingWebhookConfiguration},
             apps::v1::{ControllerRevision, DaemonSet, Deployment, StatefulSet},
             batch::v1::{CronJob, Job},
-            core::v1::{ConfigMap, Secret},
+            core::v1::{ConfigMap, Node, Secret},
         },
         apimachinery::pkg::runtime::{TypeMeta, Unknown},
     },
@@ -56,6 +56,7 @@ k8s_type!(JobWithMeta, Job);
 k8s_type!(CronJobWithMeta, CronJob);
 k8s_type!(StatefulSetWithMeta, StatefulSet);
 k8s_type!(ConfigMapWithMeta, ConfigMap);
+k8s_type!(NodeWithMeta, Node);
 k8s_type!(SecretWithMeta, Secret);
 k8s_type!(ValidatingWebhookConfigurationWithMeta, ValidatingWebhookConfiguration);
 k8s_type!(MutatingWebhookConfigurationWithMeta, MutatingWebhookConfiguration);
@@ -86,6 +87,7 @@ pub(crate) async fn decode(data: &[u8]) -> Result<Vec<u8>> {
         "StatefulSet" => serde_json::to_vec(&StatefulSetWithMeta::try_from(unknown)?)?,
         "DaemonSet" => serde_json::to_vec(&DaemonsSetWithMeta::try_from(unknown)?)?,
         "ConfigMap" => serde_json::to_vec(&ConfigMapWithMeta::try_from(unknown)?)?,
+        "Node" => serde_json::to_vec(&NodeWithMeta::try_from(unknown)?)?,
         "Secret" => serde_json::to_vec(&SecretWithMeta::try_from(unknown)?)?,
         "ValidatingWebhookConfiguration" => serde_json::to_vec(&ValidatingWebhookConfigurationWithMeta::try_from(unknown)?)?,
         "MutatingWebhookConfiguration" => serde_json::to_vec(&MutatingWebhookConfigurationWithMeta::try_from(unknown)?)?,

src/ocp_postprocess.rs

@@ -152,8 +152,16 @@ async fn run_cluster_customizations(
             .context("renaming cluster")?;
     }
 
-    if let Some(ip) = &cluster_customizations.ip {
-        ip_rename(in_memory_etcd_client, ip, dirs, files).await.context("renaming IP")?;
+    if let Some(ips) = &cluster_customizations.ip {
+        if ips.len() == 1 {
+            log::info!("Processing single IP: {}", ips[0]);
+            ip_rename(in_memory_etcd_client, &ips[0], dirs, files).await.context(format!("renaming IP {}", ips[0]))?;
+        } else if ips.len() == 2 {
+            log::info!("Processing dual-stack IPs: {}", ips.join(", "));
+            ip_rename_dual_stack(in_memory_etcd_client, ips, dirs, files).await.context("renaming dual-stack IPs")?;
+        } else {
+            log::warn!("No IPs were provided, skipping IP rename");
+        }
     }
 
     if let Some(hostname) = &cluster_customizations.hostname {
@@ -196,8 +204,10 @@ async fn run_cluster_customizations(
     .await
     .context("renaming additional trust bundle")?;
 
-    if let Some(machine_network_cidr) = &cluster_customizations.machine_network_cidr {
-        fix_machine_network_cidr(in_memory_etcd_client, machine_network_cidr, dirs, files)
+    if let Some(machine_network_cidrs) = &cluster_customizations.machine_network_cidr {
+        let combined_cidrs = machine_network_cidrs.join(",");
+        log::info!("Processing machine network CIDRs: {}", combined_cidrs);
+        fix_machine_network_cidr(in_memory_etcd_client, &combined_cidrs, dirs, files)
             .await
             .context("fixing machine network CIDR")?;
     }
@@ -913,6 +923,19 @@ pub(crate) async fn ip_rename(
     Ok(())
 }
 
+pub(crate) async fn ip_rename_dual_stack(
+    in_memory_etcd_client: &Arc<InMemoryK8sEtcd>,
+    ips: &[String],
+    dirs: &[ConfigPath],
+    files: &[ConfigPath],
+) -> Result<()> {
+    let etcd_client = in_memory_etcd_client;
+
+    ip_rename::rename_all_dual_stack(etcd_client, ips, dirs, files).await.context("renaming all dual stack")?;
+
+    Ok(())
+}
+
 pub(crate) async fn pull_secret_rename(
     in_memory_etcd_client: &Arc<InMemoryK8sEtcd>,
     pull_secret: &str,