Introduce dual-stack in the multi-node downstream example

mchiappero · hardys · commit 9647f6db9657 · 2025-09-24T16:44:13.000+01:00
Update the multi-node example to define a dual-stack deployment. Signed-off-by: Marco Chiappero <marco.chiappero@suse.com> (cherry picked from commit 322958c)
diff --git a/asciidoc/product/atip-automated-provision.adoc b/asciidoc/product/atip-automated-provision.adoc
@@ -979,7 +979,7 @@ To do that, the following file (`capi-provisioning-example.yaml`) must be create
 [NOTE]
 ====
 - Only values between `$\{...\}` must be replaced with the real values.
-- The `VIP` address is a reserved IP address that is not assigned to any node and is used to configure the load balancer.
+- The `VIP` address is a reserved IP address that is not assigned to any node and is used to configure the load balancer. In a dual-stack cluster, both an IPv4 and IPv6 can be specified, but in the following examples priority will be given to the IPv4 address.
 ====
 
 Below is the cluster definition, where the cluster network can be configured using the `pods` and the `services` blocks. Also, it contains the references to the control plane and the infrastructure (using the `Metal^3^` provider) objects to be used.
@@ -996,9 +996,11 @@ spec:
     pods:
       cidrBlocks:
         - 192.168.0.0/18
+        - fd00:1234:4321::/48
     services:
       cidrBlocks:
         - 10.96.0.0/12
+        - fd00:5678:8765:4321::/112
   controlPlaneRef:
     apiVersion: controlplane.cluster.x-k8s.io/v1beta1
     kind: RKE2ControlPlane
@@ -1009,7 +1011,12 @@ spec:
     name: multinode-cluster
 ----
 
-The `Metal3Cluster` object specifies the control-plane endpoint that uses the `VIP` address already reserved (replacing the `$\{EDGE_VIP_ADDRESS\}`) to be configured and the `noCloudProvider` because the three bare-metal nodes are used.
+[NOTE]
+====
+Both single-stack and dual-stack deployments are possible, remove the IPv6 CIDRs and IPv6 VIP addresses (in the subsequent sections) for an IPv4 only cluster
+====
+
+The `Metal3Cluster` object specifies the control-plane endpoint that uses the `VIP` address already reserved (replacing the `$\{EDGE_VIP_ADDRESS_IPV4\}`) to be configured and the `noCloudProvider` because the three bare-metal nodes are used.
 [,yaml]
 ----
 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
@@ -1019,7 +1026,7 @@ metadata:
   namespace: default
 spec:
   controlPlaneEndpoint:
-    host: ${EDGE_VIP_ADDRESS}
+    host: ${EDGE_VIP_ADDRESS_IPV4}
     port: 6443
   noCloudProvider: true
 ----
@@ -1028,11 +1035,11 @@ The `RKE2ControlPlane` object specifies the control-plane configuration to be us
 
 * The number of replicas to be used (in this case, three).
 * The advertisement mode to be used by the Load Balancer (`address` uses the L2 implementation), as well as the address to be used (replacing the `$\{EDGE_VIP_ADDRESS\}` with the `VIP` address).
-* The `serverConfig` with the `CNI` plug-in to be used (in this case, `Cilium`), and the `tlsSan` to be used to configure the `VIP` address.
+* The `serverConfig` with the `CNI` plug-in to be used (in this case, `Cilium`), and the additional `VIP` address(es) and name(s) to be listed under `tlsSan`.
 * The agentConfig block contains the `Ignition` format to be used and the `additionalUserData` to be used to configure the `RKE2` node with information like:
     ** The systemd service named `rke2-preinstall.service` to replace automatically the `BAREMETALHOST_UUID` and `node-name` during the provisioning process using the Ironic information.
     ** The `storage` block which contains the Helm charts to be used to install the `MetalLB` and the `endpoint-copier-operator`.
-    ** The `metalLB` custom resource file with the `IPaddressPool` and the `L2Advertisement` to be used (replacing `$\{EDGE_VIP_ADDRESS\}` with the `VIP` address).
+    ** The `metalLB` custom resource file with the `IPaddressPool` and the `L2Advertisement` to be used (replacing `$\{EDGE_VIP_ADDRESS_IPV4\}` with the `VIP` address).
     ** The `endpoint-svc.yaml` file to be used to configure the `kubernetes-vip` service to be used by the `MetalLB` to manage the `VIP` address.
 * The last block of information contains the Kubernetes version to be used. The `$\{RKE2_VERSION\}` is the version of `RKE2` to be used replacing this value (for example, `{version-kubernetes-rke2}`).
 
@@ -1059,8 +1066,10 @@ spec:
   serverConfig:
     cni: cilium
     tlsSan:
-      - $\{EDGE_VIP_ADDRESS}
-      - https://$\{EDGE_VIP_ADDRESS}.sslip.io
+      - $\{EDGE_VIP_ADDRESS_IPV4}
+      - $\{EDGE_VIP_ADDRESS_IPV6}
+      - https://$\{EDGE_VIP_ADDRESS_IPV4}.sslip.io
+      - https://$\{EDGE_VIP_ADDRESS_IPV6}.sslip.io
   agentConfig:
     format: ignition
     additionalUserData:
@@ -1147,7 +1156,8 @@ spec:
                     namespace: metallb-system
                   spec:
                     addresses:
-                      - $\{EDGE_VIP_ADDRESS}/32
+                      - $\{EDGE_VIP_ADDRESS_IPV4}/32
+                      - $\{EDGE_VIP_ADDRESS_IPV6}/128
                     serviceAllocation:
                       priority: 100
                       namespaces:
@@ -1176,6 +1186,7 @@ spec:
                     labels:
                       serviceType: kubernetes-vip
                   spec:
+                    ipFamilyPolicy: PreferDualStack
                     ports:
                     - name: rke2-api
                       port: 9345
