fix(kuma-cp): specifying IPv6 Envoy Admin address breaks readiness/liveness probes

[lobkovilya]

Today there is a possibility to change the Envoy Admin address to ::1 but admin_proxy_generator.go generates an admin cluster always with a 127.0.0.1 address.

This PR puts a specified admin address to proxy metadata and uses it when generating an admin cluster.

Checklist prior to review

• Link to relevant issue as well as docs and UI issues -- Fix Wait For Dataplane Ready takes too long and times out at 3 minutes #7849
• This will not break child repos: it doesn't hardcode values (.e.g "kumahq" as a image registry) and it will work on Windows, system specific functions like syscall.Mkfifo have equivalent implementation on the other OS --
• Tests (Unit test, E2E tests, manual test on universal and k8s) --
• Do you need to update UPGRADE.md? --
• Does it need to be backported according to the backporting policy? (this GH action will add "backport" label based on these file globs, if you want to prevent it from adding the "backport" label use no-backport-autolabel label) --
• Do you need to explicitly set a > Changelog: entry here or add a ci/ label to run fewer/more tests?

[cbugneac-nex]

Hi @lobkovilya should we also mention that kuma-sidecar (kuma-dp) also needs to bind to IPv6 or this is for a separate PR ?

[lobkovilya]

Hi, kuma-sidecar is binding to the data plane proxy inbound address as you can see here (g.getAddress(proxy) returns it):

kuma/pkg/xds/generator/admin_proxy_generator.go

Line 87 in 21efbfb

listener, err := envoy_listeners.NewInboundListenerBuilder(proxy.APIVersion, g.getAddress(proxy), adminPort, core_xds.SocketAddressProtocolTCP).

.

And I believe we already have IPv6 support for DPP inbounds, so it should work. The only issue here was using 127.0.0.1 in the envoy admin cluster and this PR changes this to take the address from the proxy's metadata.

[github-actions]

backporting to release-2.1 with action

backporting to release-2.3 with action
backporting to release-2.4 with action
backporting to release-2.0 with action

[lahabana]

Couple of questions:

• what happens in dual stack?
• could we have not added an e2e test to make sure it works on both ipv4 and ipv6 in real life setups?

[lobkovilya]

what happens in dual stack?

Envoy binds to 127.0.0.1 by default, so dual stack worked well before this PR.

could we have not added an e2e test to make sure it works on both ipv4 and ipv6 in real life setups?

I'm not sure if we need a dedicated e2e test for this, but I can change one Zone CP when running kindipv6 to have:

KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_WAIT_FOR_DATAPLANE_READY: "true"
KUMA_BOOTSTRAP_SERVER_PARAMS_ADMIN_ADDRESS: "::1"

that way we can ensure these features are tested.

[cbugneac-nex]

Apologies, will this change be included in the next release, e.g. 2.4.2 ?

[michaelbeaumont]

@cbugneac-nex Yes: https://github.com/kumahq/kuma/tree/release-2.4

[cbugneac-nex]

Thanks @michaelbeaumont Don't want to look pushy, but when release of 2.4.2 is planned to happen ?
Reason: I'm blocked now with #7849 and would like to plan my work when I can get back to it.

[lahabana]

I like this option of using ::1 for our ipv6 tests yes @lobkovilya !