Configure network-validator and repair-controller to work with IPv6

Fixes #12864

The linkerd-cni network-validator container was binding to the IPv4
wildcard and connecting to an IPv4 address. This wasn't breaking things
in IPv6 clusters but it was only validating the iptables rules and not
the ip6tables ones. This change introduces logic to use addresses
according to the value of `disableIPv6`. If IPv6 is enabled, then the
ip6tables rules would get exercised. Note that a more complete change
would also exercise both iptables and ip6tables, but for now we're
defaulting to ip6tables.

This implied changing the helm value `networkValidator.connectAddr` to
`connectPort`. @mateiidavid could you please validate if this entry with
its simplified doc still makes sense, in light of #12797 ?

Similarly was the case with repair-controller, but given the IPv4
wildcard was used for the admin server, in IPv6 clusters the kubelet
wasn't able to reach the probe endpoints and the container was failing.
In this case the fix is just have the admin server bind to `[::]`, which
works for IPv4 and IPv6 clusters.

charts/linkerd-control-plane/README.md

@@ -187,9 +187,9 @@ Kubernetes: `>=1.22.0-0`
 | kubeAPI.clientBurst | int | `200` | Burst value over clientQPS |
 | kubeAPI.clientQPS | int | `100` | Maximum QPS sent to the kube-apiserver before throttling. See [token bucket rate limiter implementation](https://github.com/kubernetes/client-go/blob/v12.0.0/util/flowcontrol/throttle.go) |
 | linkerdVersion | string | `"linkerdVersionValue"` | control plane version. See Proxy section for proxy version |
-| networkValidator.connectAddr | string | `"1.1.1.1:20001"` | Address to which the network-validator will attempt to connect. This should be an IP that the cluster is expected to be able to reach but a port it should not, e.g., a public IP  for public clusters and a private IP for air-gapped clusters with a port like 20001. |
+| networkValidator.connectPort | int | `20001` | Port to which the network-validator will attempt to connect |
 | networkValidator.enableSecurityContext | bool | `true` | Include a securityContext in the network-validator pod spec |
-| networkValidator.listenAddr | string | `"0.0.0.0:4140"` | Address to which network-validator listens to requests from itself |
+| networkValidator.listenAddr | string | `"[::]:4140"` | Address to which network-validator listens to requests from itself |
 | networkValidator.logFormat | string | plain | Log format (`plain` or `json`) for network-validator |
 | networkValidator.logLevel | string | debug | Log level for the network-validator |
 | networkValidator.timeout | string | `"10s"` | Timeout before network-validator fails to validate the pod's network connectivity |

charts/linkerd-control-plane/values.yaml

@@ -323,12 +323,10 @@ networkValidator:
   # -- Log format (`plain` or `json`) for network-validator
   # @default -- plain
   logFormat: plain
-  # -- Address to which the network-validator will attempt to connect. This should be an IP
-  # that the cluster is expected to be able to reach but a port it should not, e.g., a public IP 
-  # for public clusters and a private IP for air-gapped clusters with a port like 20001.
-  connectAddr: "1.1.1.1:20001"
+  # -- Port to which the network-validator will attempt to connect
+  connectPort: 20001
   # -- Address to which network-validator listens to requests from itself
-  listenAddr: "0.0.0.0:4140"
+  listenAddr: "[::]:4140"
   # -- Timeout before network-validator fails to validate the pod's network connectivity
   timeout: "10s"
   # -- Include a securityContext in the network-validator pod spec

charts/linkerd2-cni/templates/cni-plugin.yaml

@@ -312,7 +312,8 @@ spec:
         command:
           - /usr/lib/linkerd/linkerd-cni-repair-controller
         args:
-          - --admin-addr=0.0.0.0:9990
+          - --admin-addr
+          - "[::]:9990"
           - --log-format
           - {{ .Values.repairController.logFormat }}
           - --log-level

charts/partials/templates/_network-validator.tpl

@@ -24,9 +24,13 @@ args:
   - --log-level
   - {{ .Values.networkValidator.logLevel }}
   - --connect-addr
-  - {{ .Values.networkValidator.connectAddr }}
+    {{- if .Values.disableIPv6 }}
+  - "1.1.1.1:{{ .Values.networkValidator.connectPort }}"
+    {{- else }}
+  - "[fd00::1]:{{ .Values.networkValidator.connectPort }}"
+    {{- end }}
   - --listen-addr
-  - {{ .Values.networkValidator.listenAddr }}
+  - {{ .Values.networkValidator.listenAddr | quote }}
   - --timeout
   - {{ .Values.networkValidator.timeout }}
 

cli/cmd/install_test.go

@@ -140,8 +140,8 @@ func TestRender(t *testing.T) {
 		NetworkValidator: &charts.NetworkValidator{
 			LogLevel:    "debug",
 			LogFormat:   "plain",
-			ConnectAddr: "1.1.1.1:20001",
-			ListenAddr:  "0.0.0.0:4140",
+			ConnectPort: 20001,
+			ListenAddr:  "[::]:4140",
 			Timeout:     "10s",
 		},
 		Configs: charts.ConfigJSONs{