dual stack services (#91824)

* api: structure change

* api: defaulting, conversion, and validation

* [FIX] validation: auto remove second ip/family when service changes to SingleStack

* [FIX] api: defaulting, conversion, and validation

* api-server: clusterIPs alloc, printers, storage and strategy

* [FIX] clusterIPs default on read

* alloc: auto remove second ip/family when service changes to SingleStack

* api-server: repair loop handling for clusterIPs

* api-server: force kubernetes default service into single stack

* api-server: tie dualstack feature flag with endpoint feature flag

* controller-manager: feature flag, endpoint, and endpointSlice controllers handling multi family service

* [FIX] controller-manager: feature flag, endpoint, and endpointSlicecontrollers handling multi family service

* kube-proxy: feature-flag, utils, proxier, and meta proxier

* [FIX] kubeproxy: call both proxier at the same time

* kubenet: remove forced pod IP sorting

* kubectl: modify describe to include ClusterIPs, IPFamilies, and IPFamilyPolicy

* e2e: fix tests that depends on IPFamily field AND add dual stack tests

* e2e: fix expected error message for ClusterIP immutability

* add integration tests for dualstack

the third phase of dual stack is a very complex change in the API,
basically it introduces Dual Stack services. Main changes are:

- It pluralizes the Service IPFamily field to IPFamilies,
and removes the singular field.
- It introduces a new field IPFamilyPolicyType that can take
3 values to express the "dual-stack(mad)ness" of the cluster:
SingleStack, PreferDualStack and RequireDualStack
- It pluralizes ClusterIP to ClusterIPs.

The goal is to add coverage to the services API operations,
taking into account the 6 different modes a cluster can have:

- single stack: IP4 or IPv6 (as of today)
- dual stack: IPv4 only, IPv6 only, IPv4 - IPv6, IPv6 - IPv4

* [FIX] add integration tests for dualstack

* generated data

* generated files

Co-authored-by: Antonio Ojea <aojea@redhat.com>

pkg/controller/endpoint/endpoints_controller.go

@@ -216,22 +216,49 @@ func (e *Controller) addPod(obj interface{}) {
 
 func podToEndpointAddressForService(svc *v1.Service, pod *v1.Pod) (*v1.EndpointAddress, error) {
 	var endpointIP string
+	ipFamily := v1.IPv4Protocol
 
 	if !utilfeature.DefaultFeatureGate.Enabled(features.IPv6DualStack) {
 		// In a legacy cluster, the pod IP is guaranteed to be usable
 		endpointIP = pod.Status.PodIP
 	} else {
-		ipv6Service := endpointutil.IsIPv6Service(svc)
+		//feature flag enabled and pods may have multiple IPs
+		if len(svc.Spec.IPFamilies) > 0 {
+			// controller is connected to an api-server that correctly sets IPFamilies
+			ipFamily = svc.Spec.IPFamilies[0] // this works for headful and headless
+		} else {
+			// controller is connected to an api server that does not correctly
+			// set IPFamilies (e.g. old api-server during an upgrade)
+			if len(svc.Spec.ClusterIP) > 0 && svc.Spec.ClusterIP != v1.ClusterIPNone {
+				// headful service. detect via service clusterIP
+				if utilnet.IsIPv6String(svc.Spec.ClusterIP) {
+					ipFamily = v1.IPv6Protocol
+				}
+			} else {
+				// Since this is a headless service we use podIP to identify the family.
+				// This assumes that status.PodIP is assigned correctly (follows pod cidr and
+				// pod cidr list order is same as service cidr list order). The expectation is
+				// this is *most probably* the case.
+
+				// if the family was incorrectly indentified then this will be corrected once the
+				// the upgrade is completed (controller connects to api-server that correctly defaults services)
+				if utilnet.IsIPv6String(pod.Status.PodIP) {
+					ipFamily = v1.IPv6Protocol
+				}
+			}
+		}
+
+		// find an ip that matches the family
 		for _, podIP := range pod.Status.PodIPs {
-			ipv6PodIP := utilnet.IsIPv6String(podIP.IP)
-			if ipv6Service == ipv6PodIP {
+			if (ipFamily == v1.IPv6Protocol) == utilnet.IsIPv6String(podIP.IP) {
 				endpointIP = podIP.IP
 				break
 			}
 		}
-		if endpointIP == "" {
-			return nil, fmt.Errorf("failed to find a matching endpoint for service %v", svc.Name)
-		}
+	}
+
+	if endpointIP == "" {
+		return nil, fmt.Errorf("failed to find a matching endpoint for service %v", svc.Name)
 	}
 
 	return &v1.EndpointAddress{

pkg/controller/endpoint/endpoints_controller_test.go

@@ -1256,8 +1256,8 @@ func TestPodToEndpointAddressForService(t *testing.T) {
 
 			service: v1.Service{
 				Spec: v1.ServiceSpec{
-					ClusterIP: v1.ClusterIPNone,
-					IPFamily:  &ipv4,
+					ClusterIP:  v1.ClusterIPNone,
+					IPFamilies: []v1.IPFamily{v1.IPv4Protocol},
 				},
 			},
 
@@ -1289,7 +1289,7 @@ func TestPodToEndpointAddressForService(t *testing.T) {
 				},
 			},
 
-			expectedEndpointFamily: ipv4,
+			expectedEndpointFamily: ipv6,
 		},
 		{
 			name: "v6 service, in a dual stack cluster",
@@ -1320,33 +1320,32 @@ func TestPodToEndpointAddressForService(t *testing.T) {
 			expectedEndpointFamily: ipv6,
 		},
 		{
-			name: "v6 headless service, in a dual stack cluster",
+			name: "v6 headless service, in a dual stack cluster (connected to a new api-server)",
 
 			enableDualStack: true,
 			ipFamilies:      ipv4ipv6,
 
 			service: v1.Service{
 				Spec: v1.ServiceSpec{
-					ClusterIP: v1.ClusterIPNone,
-					IPFamily:  &ipv6,
+					ClusterIP:  v1.ClusterIPNone,
+					IPFamilies: []v1.IPFamily{v1.IPv6Protocol}, // <- set by a api-server defaulting logic
 				},
 			},
 
 			expectedEndpointFamily: ipv6,
 		},
 		{
-			name: "v6 legacy headless service, in a dual stack cluster",
+			name: "v6 legacy headless service, in a dual stack cluster  (connected to a old api-server)",
 
 			enableDualStack: false,
 			ipFamilies:      ipv4ipv6,
 
 			service: v1.Service{
 				Spec: v1.ServiceSpec{
-					ClusterIP: v1.ClusterIPNone,
+					ClusterIP: v1.ClusterIPNone, // <- families are not set by api-server
 				},
 			},
 
-			// This is not the behavior we *want*, but it's the behavior we currently expect.
 			expectedEndpointFamily: ipv4,
 		},