search

emissary-ingress / emissary

open source Kubernetes-native API gateway for microservices built on the Envoy Proxy
https://www.getambassador.io
Apache License 2.0
4.36k stars 685 forks source link

Ambassador does not accept Ipv4 requests in dual stack mode #4012

Open steffenries opened 2 years ago

steffenries commented 2 years ago

Describe the bug When I configure ambassador in an IPv4/IPv6 dual stack environment, requests are accepted either for IPv4 or IPv6. It is not possible to set up the proxy to accept requests for both protocols

To Reproduce

  1. install ambassador with IPv4 load balancer IP and env.AMBASSADOR_ENVOY_BIND_ADDRESS='::' to start listening on IPv6. e.g.

    helm install ambassador datawire/ambassador --version 6.9.3 --set service.type=LoadBalancer --set service.loadBalancerIP=10.0.0.1 --set env.AMBASSADOR_ENVOY_BIND_ADDRESS='::'

  2. configure Service using IPv6 load balancer IP: e.g.

    kubectl apply -f - <<!
apiVersion: v1
kind: Service
metadata:
name: ambassador-v6
spec:
ipFamilies:
- IPv6
loadBalancerIP: fd00::1
selector:
app.kubernetes.io/instance: ambassador
app.kubernetes.io/name: ambassador
type: LoadBalancer
ports:
- name: http
  port: 80
  targetPort: 8080
- name: https
  port: 443
  targetPort: 8443
!

Expected behavior

Connections to both IPv4 and IPv6 endpoint should be accepted. In the example above both "curl http://10.0.01" and "curl http://[fd00::1]" should be accessible.

If AMBASSADOR_ENVOY_BIND_ADDRESS='::' is configured, ONLY IPv6 requests are accepted. If AMBASSADOR_ENVOY_BIND_ADDRESS is not configured ONLY IPv4 requests are accepted.

Versions (please complete the following information):

Additional context

Envoy supports the option "ipv4_compat" to allow listeners listening on in6addr_any ("::") to accept ipv4 requests. The flag is not set when creating envoy/envoy.json which leads to the single stack behavior.

This patch enables ip4_compat unconditionally:

diff --git a/python/ambassador/envoy/v2/v2listener.py b/python/ambassador/envoy/v2/v2listener.py
index 555fd9460..c465884ef 100644
--- a/python/ambassador/envoy/v2/v2listener.py
+++ b/python/ambassador/envoy/v2/v2listener.py
@@ -617,7 +617,8 @@ class V2TCPListener(dict):
                 'socket_address': {
                     'address': self.bind_address,
                     'port_value': group.port,
-                    'protocol': 'TCP'
+                    'protocol': 'TCP',
+                    'ipv4_compat': True
                 }
             },
             'filter_chains': []
@@ -1144,7 +1145,8 @@ class V2Listener(dict):
             "socket_address": {
                 "address": envoy_bind_address,
                 "port_value": self.service_port,
-                "protocol": "TCP"
+                "protocol": "TCP",
+                "ipv4_compat": True
             }
         }

diff --git a/python/ambassador/envoy/v3/v3listener.py b/python/ambassador/envoy/v3/v3listener.py
index e6d8d5c5c..8665df4ea 100644
--- a/python/ambassador/envoy/v3/v3listener.py
+++ b/python/ambassador/envoy/v3/v3listener.py
@@ -636,7 +636,8 @@ class V3TCPListener(dict):
                 'socket_address': {
                     'address': self.bind_address,
                     'port_value': group.port,
-                    'protocol': 'TCP'
+                    'protocol': 'TCP',
+                    'ipv4_compat': True
                 }
             },
             'filter_chains': []
@@ -1187,7 +1188,8 @@ class V3Listener(dict):
             "socket_address": {
                 "address": envoy_bind_address,
                 "port_value": self.service_port,
-                "protocol": "TCP"
+                "protocol": "TCP",
+                "ipv4_compat": True
             }
         }
alexgervais commented 2 years ago

Thanks for raising this issue and providing a suggested fix @steffenries! I've tagged it as a feature request for a future release.

lorenzo-biava commented 9 months ago

@alexgervais we are also interested in running Emissary in dual-stack mode. Was this ever implemented in the end? I've been looking around in the doc and code but can't really find anything about it.

nsaujla commented 5 months ago

@alexgervais Any update on this?

alexgervais commented 5 months ago

Hi @nsaujla, @lorenzo-biava. I'm no longer a maintainer or affiliated with Emissary-ingress. I'm not going to be able to move this forward.

nsaujla commented 5 months ago

@cindymullins-dw Can you please help with this?