OCPBUGS-39260: Add ipv6 hairpin to forbidden IP addresses for router

[pacevedom]

The router was being exposed on the hairpin ip address (fd69::2/125). This caused the addition of iptables rules routing hairpin traffic to service IPs, while ovs is configured to do the opposite, resulting in dropped traffic.

Which issue(s) this PR addresses:

Closes #

[openshift-ci-robot]

@pacevedom: This pull request references Jira Issue OCPBUGS-39260, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

* bug is open, matching expected state (open) * bug target version (4.18.0) matches configured target version for branch (4.18.0) * bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact: /cc @jogeo

The bug has been updated to refer to the pull request using the external bug tracker.

In response to [this](https://github.com/openshift/microshift/pull/3875): > >**Which issue(s) this PR addresses**: > >Closes # > Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Fmicroshift). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.

[openshift-ci-robot]

@pacevedom: This pull request references Jira Issue OCPBUGS-39260, which is valid.

3 validation(s) were run on this bug

* bug is open, matching expected state (open) * bug target version (4.18.0) matches configured target version for branch (4.18.0) * bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact: /cc @jogeo

In response to [this](https://github.com/openshift/microshift/pull/3875): >The router was being exposed on the hairpin ip address (fd69::2/125). This caused the addition of iptables rules routing hairpin traffic to service IPs, while ovs is configured to do the opposite, resulting in dropped traffic. > >**Which issue(s) this PR addresses**: > >Closes # > Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Fmicroshift). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.

[pmtk]

/lgtm

[openshift-ci[bot]]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: pacevedom, pmtk

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/openshift/microshift/blob/main/OWNERS)~~ [pacevedom,pmtk] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD eabaed6541de34731db65c8ea8b61fc3c690ab0f and 2 for PR HEAD dab97cd19251304425237ce33a4d687e8a513f51 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD eabaed6541de34731db65c8ea8b61fc3c690ab0f and 2 for PR HEAD dab97cd19251304425237ce33a4d687e8a513f51 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 9729e78569059ad536ac7f3d00ce80526d0b267b and 1 for PR HEAD dab97cd19251304425237ce33a4d687e8a513f51 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 9729e78569059ad536ac7f3d00ce80526d0b267b and 2 for PR HEAD dab97cd19251304425237ce33a4d687e8a513f51 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 9729e78569059ad536ac7f3d00ce80526d0b267b and 2 for PR HEAD dab97cd19251304425237ce33a4d687e8a513f51 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD d62eb4e4f8c32e50ee4780dc896672979a728615 and 2 for PR HEAD dab97cd19251304425237ce33a4d687e8a513f51 in total

[pacevedom]

Evidence from manual testing:

$ ../_output/robotenv/bin/robot -V variables.yaml suites/ipv6/singlestack.robot 
==============================================================================
Singlestack :: Tests related to MicroShift running in an IPv6-only host       
==============================================================================
Verify Router Serves IPv6 :: Verify router is capable of serving i... | PASS |
------------------------------------------------------------------------------
Verify All Services Are Ipv6 :: Check all services are running IPv... | PASS |
------------------------------------------------------------------------------
Singlestack :: Tests related to MicroShift running in an IPv6-only... | PASS |
2 tests, 2 passed, 0 failed
==============================================================================
Output:  /home/pacevedo/go/src/github.com/pacevedom/microshift/test/output.xml
Log:     /home/pacevedo/go/src/github.com/pacevedom/microshift/test/log.html
Report:  /home/pacevedo/go/src/github.com/pacevedom/microshift/test/report.html

$ git log --oneline -1
dab97cd19 (HEAD -> OCPBUGS-39260, origin/OCPBUGS-39260) OCPBUGS-39260: Add ipv6 hairpin to forbidden IPs in certs

$ sudo microshift version
MicroShift Version: 4.18.0-0.nightly-2024-08-29-020346-20240906093826-dab97cd19-dirty
Base OCP Version: 4.18.0-0.nightly-2024-08-29-020346

[pacevedom]

/override ci/prow/microshift-metal-tests /override ci/prow/microshift-metal-tests-arm

[openshift-ci[bot]]

@pacevedom: Overrode contexts on behalf of pacevedom: ci/prow/microshift-metal-tests, ci/prow/microshift-metal-tests-arm

In response to [this](https://github.com/openshift/microshift/pull/3875#issuecomment-2340272567): >/override ci/prow/microshift-metal-tests >/override ci/prow/microshift-metal-tests-arm Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.

[openshift-ci-robot]

@pacevedom: Jira Issue OCPBUGS-39260: All pull requests linked via external trackers have merged:

• openshift/microshift#3875

Jira Issue OCPBUGS-39260 has been moved to the MODIFIED state.

In response to [this](https://github.com/openshift/microshift/pull/3875): >The router was being exposed on the hairpin ip address (fd69::2/125). This caused the addition of iptables rules routing hairpin traffic to service IPs, while ovs is configured to do the opposite, resulting in dropped traffic. > >**Which issue(s) this PR addresses**: > >Closes # > Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Fmicroshift). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.

[pacevedom]

/cherry-pick release-4.17

[openshift-cherrypick-robot]

@pacevedom: new pull request created: #3896

In response to [this](https://github.com/openshift/microshift/pull/3875#issuecomment-2340739733): >/cherry-pick release-4.17 Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.

[openshift-ci[bot]]

@pacevedom: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository. I understand the commands that are listed [here](https://go.k8s.io/bot-commands).