Merge branch 'master' into auditing-timescaledb

Makefile

@@ -128,10 +128,15 @@ external_network:
 			--gateway=203.0.113.1 \
 			--subnet=203.0.113.0/24 \
 			--ip-range=203.0.113.0/26 \
+			--ipv6 \
+			--gateway=2001:db8::1 \
+			--subnet=2001:db8::/48 \
 			--opt "com.docker.network.driver.mtu=9000" \
 			--opt "com.docker.network.bridge.name=mini_lab_ext" \
 			--opt "com.docker.network.bridge.enable_ip_masquerade=true" && \
-		sudo ip route add 203.0.113.128/25 via 203.0.113.128 dev mini_lab_ext; fi
+		sudo ip route add 203.0.113.128/25 via 203.0.113.128 dev mini_lab_ext && \
+		sudo ip -6 route add 2001:db8:0:113::/64 via 2001:db8:0:1::1 dev mini_lab_ext; \
+	fi
 
 .PHONY: env
 env:
@@ -168,7 +173,11 @@ firewall: _privatenet
 
 .PHONY: public-ip
 public-ip:
-	@docker compose run $(DOCKER_COMPOSE_RUN_ARG) metalctl network ip create --name test --network internet-mini-lab --project 00000000-0000-0000-0000-000000000001 -o template --template "{{ .ipaddress }}"
+	@docker compose run $(DOCKER_COMPOSE_RUN_ARG) metalctl network ip create --name test --network internet-mini-lab --project 00000000-0000-0000-0000-000000000001 --addressfamily IPv4 -o template --template "{{ .ipaddress }}"
+
+.PHONY: public-ipv6
+public-ipv6:
+	@docker compose run $(DOCKER_COMPOSE_RUN_ARG) metalctl network ip create --name test --network internet-mini-lab --project 00000000-0000-0000-0000-000000000001 --addressfamily IPv6 -o template --template "{{ .ipaddress }}"
 
 .PHONY: ls
 ls: env
@@ -292,6 +301,25 @@ test-connectivity-to-external-service:
 		fi; \
 	done
 
+.PHONY: test-connectivity-to-external-service-via-ipv6
+test-connectivity-to-external-service-via-ipv6:
+	@for i in $$(seq 1 $(MAX_RETRIES)); do \
+		if $(MAKE) ssh-machine COMMAND="sudo curl --connect-timeout 1 --fail --silent http://[2001:db8::10]" > /dev/null 2>&1; then \
+			echo "Connected successfully"; \
+			exit 0; \
+		else \
+			echo "Connection failed"; \
+			if [ $$i -lt $(MAX_RETRIES) ]; then \
+				echo "Retrying in 2 seconds..."; \
+				sleep 2; \
+			else \
+				echo "Max retries reached"; \
+				exit 1; \
+			fi; \
+		fi; \
+	done
+
+
 ## DEV TARGETS ##
 
 .PHONY: dev-env

files/exit/frr.conf

@@ -6,6 +6,7 @@ log syslog informational
 vrf vrfInternet
  vni 104009
  ip route 0.0.0.0/0 203.0.113.1
+ ipv6 route ::/0 2001:db8::1
 exit-vrf
 !
 interface eth1
@@ -18,6 +19,7 @@ interface eth2
 !
 interface mini_lab_ext
  ip address 203.0.113.128/24
+ ipv6 address 2001:db8:0:1::1/48
 !
 interface lo
  ip address 10.0.0.21/32
@@ -35,6 +37,10 @@ router bgp 4200000021
   redistribute connected route-map LOOPBACKS
  exit-address-family
  !
+ address-family ipv6 unicast
+  redistribute connected route-map LOOPBACKS
+ exit-address-family
+ !
  address-family l2vpn evpn
   advertise-all-vni
   neighbor FABRIC activate
@@ -49,8 +55,13 @@ router bgp 4200000021 vrf vrfInternet
   redistribute static
  exit-address-family
  !
+ address-family ipv6 unicast
+  redistribute static
+ exit-address-family
+ !
  address-family l2vpn evpn
   advertise ipv4 unicast
+  advertise ipv6 unicast
  exit-address-family
 !
 route-map LOOPBACKS permit 10

files/exit/network.sh

@@ -25,3 +25,5 @@ bridge vlan del vid 1 untagged pvid dev vniInternet
 bridge vlan add vid 1000 dev vniInternet
 bridge vlan add vid 1000 untagged pvid dev vniInternet
 ip link set up dev vniInternet
+
+sysctl -w net.ipv6.conf.all.forwarding=1

files/external_service/network.sh

@@ -3,3 +3,5 @@ set -o errexit -o xtrace
 
 ip addr add 203.0.113.100/24 dev mini_lab_ext
 ip route add 203.0.113.128/25 via 203.0.113.128 dev mini_lab_ext
+ip -6 addr add 2001:db8::10/48 dev mini_lab_ext
+ip -6 route add 2001:db8:0:113::/64 via 2001:db8:0:1::1 dev mini_lab_ext

files/ignition.json

@@ -14,7 +14,7 @@
         "path": "/etc/hosts.allow",
         "append": true,
         "contents": {
-          "source": "data:,ALL%3A%20%5Bfe80%3A%3A%5D%2F10%0D%0AALL%3A%20203.0.113.1%0D%0A",
+          "source": "data:,ALL%3A%20%5Bfe80%3A%3A%5D%2F10%0AALL%3A%20203.0.113.1%0AALL%3A%20%5B2001%3Adb8%3A%3A1%5D%0A%0A",
           "verification": {}
         },
         "mode": 644

files/rules.yaml

@@ -3,10 +3,27 @@ egress:
   - comment: allow outgoing http and https
     ports:
       - 80
+    protocol: TCP
+    to:
+      - 0.0.0.0/0
+  - comment: allow outgoing http
+    ports:
+      - 80
+    protocol: TCP
+    to:
+      - ::/0
+  - comment: allow outgoing https
+    ports:
       - 443
     protocol: TCP
     to:
       - 0.0.0.0/0
+  - comment: allow outgoing https
+    ports:
+      - 443
+    protocol: TCP
+    to:
+      - ::/0
   - comment: allow outgoing dns via tcp
     ports:
       - 53
@@ -38,3 +55,11 @@ ingress:
       - 203.0.113.0/24
     to:
       - 203.0.113.128/25
+  - comment: allow incoming ssh
+    ports:
+      - 22
+    protocol: TCP
+    from:
+      - 2001:db8::1/128
+    to:
+      - 2001:db8:0:113::/64

inventories/group_vars/all/images.yaml

@@ -15,6 +15,7 @@ setup_yaml:
 # metal_masterdata_api_image_tag:
 # metal_console_image_name:
 # metal_console_image_tag:
+# metal_core_image_tag:
 # ...
 #
 # further overrides can be looked up in the metal-role projects where the mapping is defined:

inventories/group_vars/control-plane/metal.yml

@@ -67,9 +67,11 @@ metal_api_networks:
   partitionid: mini-lab
   defaultchildprefixlength:
     IPv4: 22
+    IPv6: 96
   prefixes:
   - 10.0.0.0/16
-  additionalannouncablecidrs:
+  - 2001:db8:0:10::/64
+  additionalAnnouncableCIDRs:
   - 10.240.0.0/12
 - id: internet-mini-lab
   name: "Virtual Internet Network"
@@ -79,10 +81,12 @@ metal_api_networks:
   underlay: false
   destinationprefixes:
     - 0.0.0.0/0
+    - ::/0
   partitionid: "mini-lab"
   vrf: 104009
   prefixes:
   - 203.0.113.128/25
+  - 2001:db8:0:113::/64
   labels:
     network.metal-stack.io/default: ""
     network.metal-stack.io/default-external: ""
@@ -97,6 +101,18 @@ metal_api_networks:
   prefixes:
   - 10.1.0.0/24
 
+metal_api_ips:
+- name: "reserve v4"
+  description: "Reserve IPv4 (for testing purposes)"
+  networkid: internet-mini-lab
+  projectid: 00000000-0000-0000-0000-000000000000
+  ipaddress: "203.0.113.142"
+- name: "reserve v6"
+  description: "Reserve IPv6 (for testing purposes)"
+  networkid: internet-mini-lab
+  projectid: 00000000-0000-0000-0000-000000000000
+  ipaddress: "2001:db8:0:113::142"
+
 metal_masterdata_api_tls_ca: "{{ lookup('file', 'certs/ca.pem') }}"
 metal_masterdata_api_tls_cert: "{{ lookup('file', 'certs/masterdata-api/server.pem') }}"
 metal_masterdata_api_tls_cert_key: "{{ lookup('file', 'certs/masterdata-api/server-key.pem') }}"

test/integration.sh

@@ -45,6 +45,9 @@ echo "$phoned/$minPhoned machines have phoned home"
 echo "Test connectivity to outside"
 make test-connectivity-to-external-service
 
+echo "Test connectivity to outside via ipv6"
+make test-connectivity-to-external-service-via-ipv6
+
 echo "Test connectivity from outside"
 public_ip=$(make public-ip)
 make ssh-machine COMMAND="sudo ip addr add ${public_ip}/32 dev lo"
@@ -65,4 +68,24 @@ for i in $(seq 1 10); do
   fi
 done
 
+echo "Test connectivity from outside via ipv6"
+public_ipv6=$(make public-ipv6)
+make ssh-machine COMMAND="sudo ip -6 addr add ${public_ipv6}/128 dev lo"
+
+for i in $(seq 1 10); do
+  if ssh -F files/ssh/config metal@"${public_ipv6}" -C exit > /dev/null 2>&1; then
+    echo "Connected successfully"
+    break
+  else
+    echo "Connection failed"
+    if [ $i -lt 10 ]; then
+      echo "Retrying in 1 second..."
+      sleep 1
+    else
+      echo "Max retries reached"
+      exit 1
+    fi
+  fi
+done
+
 echo "Successfully started mini-lab"