Bind Envoy NLLB to all localhost loopback IPs

This ensures that it will be reachable via IPv4 and IPv6 at the same time, instead of picking one of the two. Signed-off-by: Tom Wieczorek <[email protected]>
k0sproject · May 31, 2024 · a0abf43 · a0abf43
1 parent ff3d3ef
commit a0abf43
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 17 deletions.
diff --git a/pkg/component/worker/nllb/envoy.go b/pkg/component/worker/nllb/envoy.go
@@ -62,8 +62,8 @@ type envoyParams struct {
 	// Directory in which the envoy config files are stored.
 	configDir string
 
-	// IP to which Envoy will bind.
-	bindIP net.IP
+	// IPs to which Envoy will bind.
+	bindIPs []net.IP
 
 	// Port to which Envoy will bind the API server load balancer.
 	apiServerBindPort uint16
@@ -131,12 +131,12 @@ func (e *envoyProxy) start(ctx context.Context, profile workerconfig.Profile, ap
 		}
 	}()
 
-	loopbackIP, err := getLoopbackIP(ctx)
+	loopbackIPs, err := getLoopbackIPs(ctx)
 	if err != nil {
 		if errors.Is(err, ctx.Err()) {
 			return err
 		}
-		e.log.WithError(err).Infof("Falling back to %s as bind address", loopbackIP)
+		e.log.WithError(err).Infof("Falling back to %v as bind addresses", loopbackIPs)
 	}
 
 	nllb := profile.NodeLocalLoadBalancing
@@ -148,7 +148,7 @@ func (e *envoyProxy) start(ctx context.Context, profile workerconfig.Profile, ap
 	e.config = &envoyConfig{
 		envoyParams{
 			e.dir,
-			loopbackIP,
+			loopbackIPs,
 			uint16(profile.NodeLocalLoadBalancing.EnvoyProxy.APIServerBindPort),
 			konnectivityBindPort,
 		},
@@ -179,7 +179,7 @@ func (e *envoyProxy) getAPIServerAddress() (*k0snet.HostPort, error) {
 	if e.config == nil {
 		return nil, errors.New("not yet started")
 	}
-	return k0snet.NewHostPort(e.config.bindIP.String(), e.config.apiServerBindPort)
+	return k0snet.NewHostPort(e.config.getBindHost(), e.config.apiServerBindPort)
 }
 
 func (e *envoyProxy) updateAPIServers(apiServers []k0snet.HostPort) error {
@@ -213,15 +213,23 @@ func (e *envoyProxy) stop() {
 	e.config = nil
 }
 
+func (p *envoyParams) getBindHost() string {
+	if len(p.bindIPs) == 1 {
+		return p.bindIPs[0].String()
+	}
+
+	return "localhost"
+}
+
 func writeEnvoyConfigFiles(params *envoyParams, filesParams *envoyFilesParams) error {
 	data := struct {
-		BindIP                     net.IP
+		BindIPs                    []net.IP
 		APIServerBindPort          uint16
 		KonnectivityServerBindPort uint16
 		KonnectivityServerPort     uint16
 		UpstreamServers            []k0snet.HostPort
 	}{
-		BindIP:                     params.bindIP,
+		BindIPs:                    params.bindIPs,
 		APIServerBindPort:          params.apiServerBindPort,
 		KonnectivityServerBindPort: params.konnectivityServerBindPort,
 		KonnectivityServerPort:     filesParams.konnectivityServerPort,
@@ -301,7 +309,7 @@ func makePodManifest(params *envoyParams, podParams *envoyPodParams) corev1.Pod
 					TimeoutSeconds:   3,
 					ProbeHandler: corev1.ProbeHandler{
 						TCPSocket: &corev1.TCPSocketAction{
-							Host: params.bindIP.String(), Port: intstr.FromInt(int(params.apiServerBindPort)),
+							Host: params.getBindHost(), Port: intstr.FromInt(int(params.apiServerBindPort)),
 						},
 					},
 				},
@@ -328,24 +336,28 @@ dynamic_resources:
   cds_config:
     path: /etc/envoy/cds.yaml
 
-{{ $localKonnectivityPort := .KonnectivityServerBindPort -}}
+{{ $apiServerPort := .APIServerBindPort -}}
+{{- $localKonnectivityPort := .KonnectivityServerBindPort -}}
 {{- $remoteKonnectivityPort := .KonnectivityServerPort -}}
 static_resources:
   listeners:
-  - name: apiserver
+  {{- range $idx, $bindIP := .BindIPs }}
+  - name: apiserver-ip-{{ $idx }}
     address:
-      socket_address: { address: {{ printf "%q" .BindIP }}, port_value: {{ .APIServerBindPort }} }
+      socket_address: { address: {{ printf "%q" $bindIP }}, port_value: {{ $apiServerPort }} }
     filter_chains:
     - filters:
       - name: envoy.filters.network.tcp_proxy
         typed_config:
           "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
           stat_prefix: apiserver
           cluster: apiserver
+  {{- end }}
   {{- if ne $localKonnectivityPort 0 }}
-  - name: konnectivity
+  {{- range $idx, $bindIP := .BindIPs }}
+  - name: konnectivity-ip-{{ $idx }}
     address:
-      socket_address: { address: {{ printf "%q" .BindIP }}, port_value: {{ $localKonnectivityPort }} }
+      socket_address: { address: {{ printf "%q" $bindIP }}, port_value: {{ $localKonnectivityPort }} }
     filter_chains:
     - filters:
       - name: envoy.filters.network.tcp_proxy
@@ -354,6 +366,7 @@ static_resources:
           stat_prefix: konnectivity
           cluster: konnectivity
   {{- end }}
+  {{- end }}
 `))
 
 var envoyClustersConfig = template.Must(template.New("Clusters").Parse(`

diff --git a/pkg/component/worker/nllb/reconciler.go b/pkg/component/worker/nllb/reconciler.go
@@ -418,19 +418,23 @@ func writePatchedKubeconfig(path string, kubeconfig *clientcmdapi.Config, server
 	return file.WriteContentAtomically(path, bytes, constant.CertSecureMode)
 }
 
-func getLoopbackIP(ctx context.Context) (net.IP, error) {
+func getLoopbackIPs(ctx context.Context) (ips []net.IP, _ error) {
 	localIPs, err := net.DefaultResolver.LookupIPAddr(ctx, "localhost")
 	if err != nil {
 		err = fmt.Errorf("failed to resolve localhost: %w", err)
 	} else {
 		for _, addr := range localIPs {
 			if addr.IP.IsLoopback() {
-				return addr.IP, nil
+				ips = append(ips, addr.IP)
 			}
 		}
 
+		if len(ips) != 0 {
+			return ips, nil
+		}
+
 		err = fmt.Errorf("no loopback IPs found for localhost: %v", localIPs)
 	}
 
-	return net.IP{127, 0, 0, 1}, err
+	return []net.IP{{127, 0, 0, 1}}, err
 }