fix: pass IPv6 DNS resolvers correctly

[lucasl0st]

Proposed changes

Problem: nginx expects IPv6 DNS resolvers to be passed with [] brackets:
invalid port in resolver \"2606:4700:4700::1111\" in /etc/nginx/stream-conf.d/stream.conf
But passing resolvers with brackets is not possible:
gatewayClassNp="&{Source:0xc0014382c0 ErrMsgs:[spec.dnsResolver.addresses[0].value: Invalid value: \"[2606:4700:4700::1111]\": must be a valid IP address] Valid:false}"

Solution: detect IPv6 resolvers and add brackets in the config templating.

Testing: deployed on an IPv6 capable cluster and configured DNS resolvers using the helm chart, deployed a gateway and http route pointing to an ExternalName service (which requires configuring a DNS resolver).

Fixes #4369

Checklist

Before creating a PR, run through this checklist and mark each as complete.

• I have read the CONTRIBUTING doc
• I have added tests that prove my fix is effective or that my feature works
• I have checked that all unit tests pass after adding my changes
• I have updated necessary documentation
• I have rebased my branch onto main
• I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

Release notes

If this PR introduces a change that affects users and needs to be mentioned in the release notes,
please add a brief note that summarizes the change.

Fixed an issue regarding configuring IPv6 DNS resolvers for ExternalName services

[nginx-bot]

Hi @lucasl0st!

Thanks for opening this pull request!
Be sure to check out our Contributing Guidelines while you wait for someone on the team to review this.

[sjberman]

@lucasl0st Thanks for finding and fixing this! Would you mind creating an associated issue and linking it in the PR description to Close? Helps us keep track of things.

[sjberman]

Based on what I read in the bug you created, does the NGF validation need to be updated as well?

[lucasl0st]

Based on what I read in the bug you created, does the NGF validation need to be updated as well?

Could you tell me what exactly you mean by NGF validation?
The part that fails when passing an IPv6 address with brackets is here:

nginx-gateway-fabric/internal/controller/state/graph/nginxproxy.go

Line 358 in b50193d

if errs := k8svalidation.IsValidIP(addrPath.Child("value"), addr.Value); len(errs) > 0 {

It does not accept IPv6 addresses within [] brackets, but I'm unsure if that's what you're referring to here

[lucasl0st]

And just to be sure, anything I should do regarding the failed linter in the pipeline? https://github.com/nginx/nginx-gateway-fabric/actions/runs/19806475453/job/56824105560

Runs fine locally for me

[sjberman]

It does not accept IPv6 addresses within [] brackets, but I'm unsure if that's what you're referring to here

Is the intention to be able to define an Ipv6 address with brackets in the API? If port is specified, then would it make sense to do it that way? I figured we would want to loosen the validation if so.

[lucasl0st]

My intention with this PR is to support IPv6 resolvers the same way IPv4 resolvers are currently supported.
This means that within the helm chart or configuration IPv6 resolvers are configured by a user without brackets, the nginx config templating handles the job of adding the brackets required by nginx for IPv6 (the fix in this PR).

The current implementation/validation would not allow for custom ports (to the best of my knowledge), for IPv6 as well as IPv4.
Nginx itself does seem to support custom ports: https://nginx.org/en/docs/http/ngx_http_core_module.html#resolver
So I guess it would be up to you to decide if you want to support this.

[sjberman]

Ah, I see that ports was not the original intention. So I think the validation is fine for now as long as a basic IPv6 address works.

[sjberman]

I think the linting/dependency issue is probably on our end.