data plane pod do not listen IPv6 address

[sergey-safarov]

Description:

I deploy IPv6 only EKS cluster and configured IPv6 support in envoy config

---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyProxy
metadata:
  name: ipv6-proxy
spec:
  ipFamily: IPv6
---
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
  name: envoy
spec:
  controllerName: gateway.envoyproxy.io/gatewayclass-controller
  parametersRef:
    group: config.gateway.envoyproxy.io
    kind: EnvoyProxy
    name: ipv6-proxy

But Liveness, 'Readiness' and Startup fails because Envoy listens IPv4 "0.0.0.0" and does not listen IPv6.

Repro steps:

1. Configure EnvoyProxy using yaml above and deploy any "gateway".
2. Start debug pod and execute curl to both IP.

Example

/ # curl -v http://127.0.0.1:19003
*   Trying 127.0.0.1:19003...
* Established connection to 127.0.0.1 (127.0.0.1 port 19003) from 127.0.0.1 port 44166 
* using HTTP/1.x
> GET / HTTP/1.1
> Host: 127.0.0.1:19003
> User-Agent: curl/8.17.0
> Accept: */*
> 
< HTTP/1.1 500 Internal Server Error
< date: Tue, 25 Nov 2025 09:44:05 GMT
< server: envoy
< content-length: 0
< 
* Connection #0 to host 127.0.0.1:19003 left intact

/ # curl -v --noproxy "*" http://[::1]:19003
*   Trying [::1]:19003...
* connect to ::1 port 19003 from ::1 port 54276 failed: Connection refused
* Failed to connect to ::1 port 19003 after 0 ms: Could not connect to server
* closing connection #0
curl: (7) Failed to connect to ::1 port 19003 after 0 ms: Could not connect to server

Environment:

used gateway 1.6.0 and envoy v1.36.2.

Logs:

In data-plane pod no pods logs.

As I understand, as a workaround Envoy here can be used jsonPatches to bootstrap conf like

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyProxy
metadata:
  name: ipv6-proxy
spec:
  mergeGateways: true
  ipFamily: IPv6
  bootstrap:
    type: JSONPatch
    jsonPatches:
      - op: "replace"
        path: "static_resources/listeners/0/address/socketAddress/address"
        value: "::"

But this does not work for me.
Also checked tickets with jsonPatches example, but this does help me. #5368 #6859

In the meantime, could you share how to properly path the listened IP address?

[sergey-safarov]

I have manually updated the envoy ReplicaSet to allow listening admin port on IPv6 address and port 19003 and then send curl request to /listeners endpoint.
This confirms the envoy listened IPv4 address for 19003 port

h-5.2$ curl -v http://[2605:84c0:51:1f02:67a5::b]:19003/listeners
*   Trying [2605:84c0:51:1f02:67a5::b]:19003...
* Connected to 2605:84c0:51:1f02:67a5::b (2605:84c0:51:1f02:67a5::b) port 19003
* using HTTP/1.x
> GET /listeners HTTP/1.1
> Host: [2605:84c0:51:1f02:67a5::b]:19003
> User-Agent: curl/8.11.1
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 200 OK
< content-type: text/plain; charset=UTF-8
< cache-control: no-cache, max-age=0
< x-content-type-options: nosniff
< date: Tue, 25 Nov 2025 14:56:43 GMT
< server: envoy
< transfer-encoding: chunked
< 
envoy-gateway-proxy-stats-0.0.0.0-19001::0.0.0.0:19001
envoy-gateway-proxy-ready-0.0.0.0-19003::0.0.0.0:19003
ippbx/couchdb/http::0.0.0.0:10080

[arkodg]

cc @zirain , afaik, there's an e2e for this

[zirain]

yes, we run nearly all the e2e on ipv6 first kind cluster.

[sergey-safarov]

I have applied EnvoyPatchPolicy to the Gateway

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyPatchPolicy
metadata:
  name: patch-listener-socket
  namespace: {{ .Release.Name }}
spec:
  type: JSONPatch
  targetRef:
    group: gateway.networking.k8s.io
    kind: Gateway
    name: couchdb
  jsonPatches:
    - name: envoy-gateway-proxy-ready-0.0.0.0-19003
      type: type.googleapis.com/envoy.config.listener.v3.Listener
      operation:
        op: "replace"
        path: /address/socket_address/address
        value: "::"
    - name: envoy-gateway-proxy-stats-0.0.0.0-19001
      type: type.googleapis.com/envoy.config.listener.v3.Listener
      operation:
        op: "replace"
        path: /address/socket_address/address
        value: "::"
    - name: ippbx/couchdb/http
      type: type.googleapis.com/envoy.config.listener.v3.Listener
      operation:
        op: "replace"
        path: /address/socket_address/address
        value: "::"

This fixed the listener IP for port 19003 and service port.
But does not fix the listener for Prometheus metrics.

curl http://127.0.0.1:19000/listeners
envoy-gateway-proxy-stats-0.0.0.0-19001::0.0.0.0:19001
envoy-gateway-proxy-ready-0.0.0.0-19003::[::]:19003
ippbx/couchdb/http::[::]:10080

I'm sure this should be done more simply.

[zirain]

the github CI host machine is IPv4, so we cannot test the whole thing.
will take a look later.

[zirain]

19000 is the envoy admin port, which cannot be patch by EPP, custom bootstrap will help.

[zirain]

@sergey-safarov can you show me a full config dump without those patch by running egctl config envoy-proxy all

[zirain]

@sergey-safarov can you check the status of GatewayClass? you may need following change.

apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
  name: envoy
spec:
  controllerName: gateway.envoyproxy.io/gatewayclass-controller
  parametersRef:
    group: config.gateway.envoyproxy.io
    kind: EnvoyProxy
    name: ipv6-proxy
    namespace: default

[sergey-safarov]

I think this ticket is related to the current #7577.

19000 is the envoy admin port, which cannot be patch by EPP, custom bootstrap will help.

@zirain could you share a working example? I tried, but no luck.

can you show me a full config dump without those patch by running egctl config envoy-proxy all

File attached envoy.cfg.gz

can you check the status of GatewayClass? you may need following change.

I have added a namespace namespace: default into the GatewayClass yaml and got an error.

Invalid parametersRef: unsupported parametersRef for gatewayclass envoy

$ kubectl describe GatewayClass 
Name:         envoy
Namespace:    
Labels:       app.kubernetes.io/managed-by=Helm
Annotations:  meta.helm.sh/release-name: kazoo
              meta.helm.sh/release-namespace: ippbx
API Version:  gateway.networking.k8s.io/v1
Kind:         GatewayClass
Metadata:
  Creation Timestamp:  2025-11-26T22:43:21Z
  Finalizers:
    gateway-exists-finalizer.gateway.networking.k8s.io
  Generation:        2
  Resource Version:  419765
  UID:               c5ce4b90-abd0-43cb-9c26-8776fb3dab81
Spec:
  Controller Name:  gateway.envoyproxy.io/gatewayclass-controller
  Parameters Ref:
    Group:      config.gateway.envoyproxy.io
    Kind:       EnvoyProxy
    Name:       ipv6-proxy
    Namespace:  default
Status:
  Conditions:
    Last Transition Time:  2025-11-27T22:55:21Z
    Message:               Invalid parametersRef: unsupported parametersRef for gatewayclass envoy
    Observed Generation:   2
    Reason:                InvalidParameters
    Status:                False
    Type:                  Accepted
Events:                    <none>

Probably this is because EnvoyProxy is defined in the ippbx namespace.

$ kubectl get EnvoyProxy -A
NAMESPACE   NAME         AGE
ippbx       ipv6-proxy   24h

I have changed the namespace for EnvoyProxy, but the issue persists.

kubectl describe GatewayClass 
Name:         envoy
Namespace:    
Labels:       app.kubernetes.io/managed-by=Helm
Annotations:  meta.helm.sh/release-name: kazoo
              meta.helm.sh/release-namespace: ippbx
API Version:  gateway.networking.k8s.io/v1
Kind:         GatewayClass
Metadata:
  Creation Timestamp:  2025-11-26T22:43:21Z
  Finalizers:
    gateway-exists-finalizer.gateway.networking.k8s.io
  Generation:        2
  Resource Version:  419765
  UID:               c5ce4b90-abd0-43cb-9c26-8776fb3dab81
Spec:
  Controller Name:  gateway.envoyproxy.io/gatewayclass-controller
  Parameters Ref:
    Group:      config.gateway.envoyproxy.io
    Kind:       EnvoyProxy
    Name:       ipv6-proxy
    Namespace:  default
Status:
  Conditions:
    Last Transition Time:  2025-11-27T22:55:21Z
    Message:               Invalid parametersRef: unsupported parametersRef for gatewayclass envoy
    Observed Generation:   2
    Reason:                InvalidParameters
    Status:                False
    Type:                  Accepted
Events:                    <none>

and EnvoyProxy namespace after update.

$ kubectl get EnvoyProxy -A
NAMESPACE   NAME         AGE
default     ipv6-proxy   3m4s

@zirain, is there still a possible issue here?
Can I test the nightly arm64 build? How YAML needs to be updated. Link to API schema will be fine.

[zirain]

@sergey-safarov following configuration should be worked on v1.6.0(maybe early version but I didn't test it) and main:

---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyProxy
metadata:
  name: ipv6-proxy
spec:
  ipFamily: IPv6
---
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
  name: eg
spec:
  controllerName: gateway.envoyproxy.io/gatewayclass-controller
  parametersRef:
    group: gateway.envoyproxy.io
    kind: EnvoyProxy
    name: ipv6-proxy
    namespace: default
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: ipv6-proxy
spec:
  gatewayClassName: eg
  listeners:
    - name: http
      port: 80
      protocol: HTTP
      allowedRoutes:
        namespaces:
          from: All