add ipv6 support to update-ips

[vomba]

Warning

This is a public repository, ensure not to disclose:

• personal data beyond what is necessary for interacting with this pull request, nor
• business confidential information, such as customer names.

What kind of PR is this?

Required: Mark one of the following that is applicable:

• kind/feature
• kind/improvement
• kind/deprecation
• kind/documentation
• kind/clean-up
• kind/bug
• kind/other

Optional: Mark one or more of the following that are applicable:

Important

Breaking changes should be marked kind/admin-change or kind/dev-change depending on type
Critical security fixes should be marked with kind/security

• kind/admin-change
• kind/dev-change
• kind/security
• [kind/adr](set-me)

What does this PR do / why do we need this PR?

Adds support for IPv6 to update-ips script.

• Fixes [3] Add IPv6 support for update-ips script #2342

Information to reviewers

Checklist

• Proper commit message prefix on all commits
• Change checks:
  • The change is transparent
  • The change is disruptive
  • The change requires no migration steps
  • The change requires migration steps
  • The change updates CRDs
  • The change updates the config and the schema
• Documentation checks:
  • The public documentation required no updates
  • The public documentation required an update - [link to change](set-me)
• Metrics checks:
  • The metrics are still exposed and present in Grafana after the change
  • The metrics names didn't change (Grafana dashboards and Prometheus alerts required no updates)
  • The metrics names did change (Grafana dashboards and Prometheus alerts required an update)
• Logs checks:
  • The logs do not show any errors after the change
• PodSecurityPolicy checks:
  • Any changed Pod is covered by Kubernetes Pod Security Standards
  • Any changed Pod is covered by Gatekeeper Pod Security Policies
  • The change does not cause any Pods to be blocked by Pod Security Standards or Policies
• NetworkPolicy checks:
  • Any changed Pod is covered by Network Policies
  • The change does not cause any dropped packets in the NetworkPolicy Dashboard
• Audit checks:
  • The change does not cause any unnecessary Kubernetes audit events
  • The change requires changes to Kubernetes audit policy
• Falco checks:
  • The change does not cause any alerts to be generated by Falco
• Bug checks:
  • The bug fix is covered by regression tests

[simonklb]

Nice work! The changes look good but since the number of kubectl and dig calls have changed you will have to update the mocked kubectl and dig calls in the tests.

I would like to see tests for both with and without ipv6 results as well.

[Zash]

Is this going to do the right thing with an IPv6 address like 2001:db8::/32 ?

[vomba]

It should stay the way it is.

[Zash]

I mean, when cidr=2001:db8::/32 then ! [[ "${cidr}" =~ .*/32 ]] → ! [[ /32 == /32 ]] → ! true → false and then the condition stops there. I assume that's only meant to happen for IPv4 /32

[vomba]

Hmm... I might be missing the issue here, but wouldn't that mean that the cidr just doesn't get processed, and therefore it gets added the way it is, which i think the behavior we want at that point ?

[Zash]

given old_cidrs=(127.0.0.0/8 2001:db8::/32 fe80::/10) and ips=(127.0.0.1 2001:db8::1 fe80::d309:087a:7c4f:3aaf) the function outputs

0.0.0.0/0
2001:db8::1/128
fe80::/10

wouldn't the expected be

0.0.0.0/0
2001:db8::/32
fe80::/10

?

[simonklb]

Yes, this is wrong. This should catch single IP CIDRs only, with the introduction of IPv6 .*/32 is not doing that anymore.

[Zash]

Maybe like this

Suggested change

	if [[ "${cidr}" != "" ]] && [[ "${cidr}" != "set-me" ]] && ! [[ "${cidr}" =~ .*/32 ]] && ! [[ "${cidr}" =~ .*/128 ]] && check_ip_in_cidr "${ip}" "${cidr}"; then
	if [[ "${cidr}" != "" ]] && [[ "${cidr}" != "set-me" ]] && ! [[ "${cidr}" =~ [0-9.]*/32 ]] && ! [[ "${cidr}" =~ [0-9a-f:]*/128 ]] && check_ip_in_cidr "${ip}" "${cidr}"; then

Alternatively, but probably more work, only dealing with IPv6-mapped IPv4 addresses would need only a single /128 comparison.

[vomba]

That looks good, will add it.

[simonklb]

Just minor things left to fix up, nice work!

I would have liked to see a test of maximal run dualStack as well but if you feel that you are about to claw your eyes out seeing another bats run then I'm fine with you skipping it for now. 😄 There is some work needed to be done here to make it easier to test.

[Zash]

[0-9.].* only ensures the first thing is a number or ., while [0-9.]* only matches numbers and literal ..

Suggested change

	if [[ "${cidr}" != "" ]] && [[ "${cidr}" != "set-me" ]] && ! [[ "${cidr}" =~ [0-9.].*/32 ]] && ! [[ "${cidr}" =~ [0-9a-f:].*/128 ]] && check_ip_in_cidr "${ip}" "${cidr}"; then
	if [[ "${cidr}" != "" ]] && [[ "${cidr}" != "set-me" ]] && ! [[ "${cidr}" =~ [0-9.]*/32 ]] && ! [[ "${cidr}" =~ [0-9a-f:]*/128 ]] && check_ip_in_cidr "${ip}" "${cidr}"; then

[simonklb]

After you have fixed the thing pointed out by @Zash this LGTM, great work!