Support IPv6 terminated at the router with internal IPv4

[imcsk8]

Allow haproxy to listen to ipv6 interfaces.

Trello card: https://trello.com/c/OkSdZ3JM/421-2-support-ipv6-terminated-at-the-router-with-internal-ipv4-ipv6

[imcsk8]

PTAL @openshift/networking

[sghosh151]

Make v6 support configurable instead of always on?

Related keepalived config?

[knobunc]

LGTM thanks, but addressing @sghosh151's concerns would be good.

[knobunc]

[test]

[imcsk8]

[test]

[openshift-bot]

Evaluated for origin test up to 00fd6b6

[openshift-bot]

continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/1363/) (Base Commit: 2628c77)

[knobunc]

[merge] But @imcsk8 please put a comment in here explaining the testing you did that shows that if there is no IPv6 address on the router node it still works correctly.

[lihongan]

Is it possible to add env like "ROUTER_TERMINATING_IPV6" to control if enable IPv6 ?

[knobunc]

@lihongan: Why do we need to disable v6? If the host supports it, what's the reason not to always listen on the v6 interface too? @imcsk8 tested to make sure that if v6 was disabled that it worked correctly still. We automatically bind to an http and an https port, there's no way to disable it (but you can control which port). If someone has v6, and the host is reachable by v6, and the DNS records serve an AAAA address, but they still want to forbid the router from answering, then they can block that in iptables... (or, more likely, not enable it in iptables).

[lihongan]

Probably I didn't express it clearly before. I means we can bind ipv4 only by default (current implementation), so router won't answer ipv6 request. If someone want to terminate ipv6 request on router, then can add env to let router bind both ipv4 and ipv6 address.

[knobunc]

@lihongan, no, I understood your point and I agree that it is a minor change in behavior. But I am asking why we care? The router admin needs to have IPv6 working, have DNS configured to serve IPv6 responses (AAAA records), and needs to have the firewall open to allow IPv6 in to the router ports. If they don't do all of that it won't work anyway... why also make them configure something in the router?

What harm is there if we do not add another config knob?

[knobunc]

[merge] Last (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin_extended_networking_minimal/2877/consoleFull#4401251505898c58db7602c31c0eab717) flaked on #14496

[openshift-bot]

Evaluated for origin merge up to 00fd6b6

[openshift-bot]

continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_request_origin/937/) (Base Commit: cc2ed8f) (Image: devenv-rhel7_6333)

[lihongan]

@knobunc thanks for your explanation, understand now.