feat: add support for dual stack clusters (#3356)

Signed-off-by: Ludovic Ortega <ludovic.ortega@adminafk.fr>

deploy/charts/external-secrets/README.md

@@ -139,6 +139,8 @@ The command removes all the Kubernetes components associated with the chart and
 | securityContext.runAsNonRoot | bool | `true` |  |
 | securityContext.runAsUser | int | `1000` |  |
 | securityContext.seccompProfile.type | string | `"RuntimeDefault"` |  |
+| service.ipFamilies | list | `[]` | Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6. |
+| service.ipFamilyPolicy | string | `""` | Set the ip family policy to configure dual-stack see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services) |
 | serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
 | serviceAccount.automount | bool | `true` | Automounts the service account token in all containers of the pod |
 | serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |

deploy/charts/external-secrets/templates/cert-controller-service.yaml

@@ -12,6 +12,12 @@ metadata:
   {{- end }}
 spec:
   type: ClusterIP
+  {{- if .Values.service.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }}
+  {{- end }}
+  {{- if .Values.service.ipFamilies }}
+  ipFamilies: {{ .Values.service.ipFamilies | toYaml | nindent 2 }}
+  {{- end }}
   ports:
   - port: {{ .Values.certController.metrics.service.port }}
     protocol: TCP

deploy/charts/external-secrets/templates/service.yaml

@@ -12,6 +12,12 @@ metadata:
   {{- end }}
 spec:
   type: ClusterIP
+  {{- if .Values.service.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }}
+  {{- end }}
+  {{- if .Values.service.ipFamilies }}
+  ipFamilies: {{ .Values.service.ipFamilies | toYaml | nindent 2 }}
+  {{- end }}
   ports:
     - port: {{ .Values.metrics.service.port }}
       protocol: TCP

deploy/charts/external-secrets/templates/servicemonitor.yaml

@@ -8,6 +8,12 @@ metadata:
     {{- include "external-secrets.labels" . | nindent 4 }}
 spec:
   type: ClusterIP
+  {{- if .Values.service.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }}
+  {{- end }}
+  {{- if .Values.service.ipFamilies }}
+  ipFamilies: {{ .Values.service.ipFamilies | toYaml | nindent 2 }}
+  {{- end }}
   ports:
     - port: {{ .Values.metrics.service.port }}
       protocol: TCP
@@ -56,6 +62,12 @@ metadata:
     {{- include "external-secrets-webhook-metrics.labels" . | nindent 4 }}
 spec:
   type: ClusterIP
+  {{- if .Values.service.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }}
+  {{- end }}
+  {{- if .Values.service.ipFamilies }}
+  ipFamilies: {{ .Values.service.ipFamilies | toYaml | nindent 2 }}
+  {{- end }}
   ports:
     - port: {{ .Values.webhook.metrics.service.port }}
       protocol: TCP
@@ -105,6 +117,12 @@ metadata:
     {{- include "external-secrets-cert-controller-metrics.labels" . | nindent 4 }}
 spec:
   type: ClusterIP
+  {{- if .Values.service.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }}
+  {{- end }}
+  {{- if .Values.service.ipFamilies }}
+  ipFamilies: {{ .Values.service.ipFamilies | toYaml | nindent 2 }}
+  {{- end }}
   ports:
     - port: {{ .Values.certController.metrics.listen.port }}
       protocol: TCP

deploy/charts/external-secrets/templates/webhook-service.yaml

@@ -15,6 +15,12 @@ metadata:
   {{- end }}
 spec:
   type: ClusterIP
+  {{- if .Values.service.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }}
+  {{- end }}
+  {{- if .Values.service.ipFamilies }}
+  ipFamilies: {{ .Values.service.ipFamilies | toYaml | nindent 2 }}
+  {{- end }}
   ports:
   - port: 443
     targetPort: {{ .Values.webhook.port }}

deploy/charts/external-secrets/values.yaml

@@ -78,6 +78,12 @@ createOperator: true
 # a time.
 concurrent: 1
 
+service:
+  # -- Set the ip family policy to configure dual-stack see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services)
+  ipFamilyPolicy: ""
+  # -- Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6.
+  ipFamilies: []
+
 serviceAccount:
   # -- Specifies whether a service account should be created.
   create: true