Handle mapped IP addresses in monitoring allow list

Clemens Beckrequested to merge
cb-v6-allowlist into master

What does this MR do and why?

Handle mapped IP addresses in monitoring allow list

Add IPv4 compat addresses to the health check middleware. This allows rails listen on IPv6 by default in CNG/GitLab chart without breaking existing setups with custom (IPv4) allow lists.

Relates gitlab-org/charts/gitlab#2778 (closed)

Background

In gitlab-org/charts/gitlab!4072 (merged) we want to default to dual stack (IPv4+IPv6) compatible listeners/bind addresses. As a result, IPv4 clients may appear with their mapped IPv6 addresses, causing them to be denied access.

By adding the comat addresses, the IPv4 clients remain access, even when their address is mapped to an IPv6 on the kernel level.

References

Screenshots or screen recordings

Before After

How to set up and validate locally

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Clemens Beck

Merge request reports