hashicorp · LakshmiNarayananDesikan · Oct 14, 2025 · Oct 27, 2025 · Oct 27, 2025 · Oct 27, 2025
@@ -111,6 +111,7 @@ jobs:
       matrix:
         envoy-version: ${{ fromJSON(needs.get-envoy-versions.outputs.envoy-versions-json) }}
         xds-target: ["server", "client"]
+        ip-version: ["ipv4", "ipv6"]
         test-cases: ${{ fromJSON(needs.generate-envoy-job-matrices.outputs.envoy-matrix) }}
     env:
       ENVOY_VERSION: ${{ matrix.envoy-version }}
@@ -136,6 +137,23 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
 
+      - name: Enable IPv6 for Docker
+        if: matrix.ip-version == 'ipv6'
+        run: |
+          # Enable IPv6 on the Docker daemon without requiring sudo
+          # Create a new builder instance with IPv6 support
+          docker buildx create --name ipv6-builder --driver docker-container --use
+
+          # Enable IPv6 on the default bridge network (this doesn't require daemon restart)
+          docker network create --ipv6 --subnet=2001:db8:1::/64 --driver bridge consul-ipv6-bridge || true
+
+          # Verify IPv6 capabilities
+          docker network ls
+          docker network inspect consul-ipv6-bridge || true
+
+          # Test IPv6 connectivity
+          docker run --rm --network consul-ipv6-bridge alpine:latest ping6 -c 1 ::1 || echo "IPv6 ping test completed"
+
       - name: Docker build
         run: docker build -t consul:local -f ./build-support/docker/Consul-Dev.dockerfile ./bin
 
@@ -152,13 +170,20 @@ jobs:
           echo "Running $(sed 's,|, ,g' <<< "${{ matrix.test-cases }}" |wc -w) subtests"
           # shellcheck disable=SC2001
           sed 's,|,\n,g' <<< "${{ matrix.test-cases }}"
+
+          # Add IPv6 flag if testing IPv6
+          IPV6_FLAG=""
+          if [ "${{ matrix.ip-version }}" == "ipv6" ]; then
+            IPV6_FLAG="-ipv6=true"
+          fi
+
           go run gotest.tools/gotestsum@v${{env.GOTESTSUM_VERSION}} \
               --debug \
               --rerun-fails \
               --rerun-fails-report=/tmp/gotestsum-rerun-fails \
               --jsonfile /tmp/jsonfile/go-test.log \
               --packages=./test/integration/connect/envoy \
-              -- -timeout=30m -tags integration -run="TestEnvoy/(${{ matrix.test-cases }})"
+              -- -timeout=30m -tags integration -run="TestEnvoy/(${{ matrix.test-cases }})" -args $IPV6_FLAG
 
       # NOTE: ENT specific step as we store secrets in Vault.
       - name: Authenticate to Vault

@@ -301,6 +301,7 @@ jobs:
       fail-fast: false
       matrix:
         xds-target: ["server", "client"]
+        ip-version: ["ipv4", "ipv6"]
         envoy-version: ${{ fromJSON(needs.get-envoy-versions.outputs.envoy-versions-json) }}
         test-cases: ${{ fromJSON(needs.generate-envoy-job-matrices.outputs.envoy-matrix) }}
     env:
@@ -324,10 +325,27 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
 
+      - name: Enable IPv6 for Docker
+        if: matrix.ip-version == 'ipv6'
+        run: |
+          # Enable IPv6 on the Docker daemon without requiring sudo
+          # Create a new builder instance with IPv6 support
+          docker buildx create --name ipv6-builder --driver docker-container --use
+
+          # Enable IPv6 on the default bridge network (this doesn't require daemon restart)
+          docker network create --ipv6 --subnet=2001:db8:1::/64 --driver bridge consul-ipv6-bridge || true
+
+          # Verify IPv6 capabilities
+          docker network ls
+          docker network inspect consul-ipv6-bridge || true
+
+          # Test IPv6 connectivity
+          docker run --rm --network consul-ipv6-bridge alpine:latest ping6 -c 1 ::1 || echo "IPv6 ping test completed"
+
       - name: Docker build
         run: docker build -t consul:local -f ./build-support/docker/Consul-Dev.dockerfile ./bin
 
-      - name: Envoy Integration Tests-${{ matrix.envoy-version }}-${{ matrix.test-cases }}
+      - name: Envoy Integration Tests-${{ matrix.envoy-version }}-${{ matrix.test-cases }}-${{ matrix.ip-version }}
         id: envoy-integration-tests
         env:
           GOTESTSUM_JUNITFILE: ${{ env.TEST_RESULTS_DIR }}/results.xml
@@ -341,13 +359,20 @@ jobs:
           echo "Running $(sed 's,|, ,g' <<< "${{ matrix.test-cases }}" |wc -w) subtests"
           # shellcheck disable=SC2001
           sed 's,|,\n,g' <<< "${{ matrix.test-cases }}"
+
+          # Add IPv6 flag if testing IPv6
+          IPV6_FLAG=""
+          if [ "${{ matrix.ip-version }}" == "ipv6" ]; then
+            IPV6_FLAG="-ipv6=true"
+          fi
+
           go run gotest.tools/gotestsum@v${{env.GOTESTSUM_VERSION}} \
               --debug \
               --rerun-fails \
               --rerun-fails-report=/tmp/gotestsum-rerun-fails \
               --jsonfile /tmp/jsonfile/go-test.log \
               --packages=./test/integration/connect/envoy \
-              -- -timeout=30m -tags integration -run="TestEnvoy/(${{ matrix.test-cases }})"
+              -- -timeout=30m -tags integration -run="TestEnvoy/(${{ matrix.test-cases }})" -args $IPV6_FLAG
 
       # See https://github.com/orgs/community/discussions/8945#discussioncomment-9897011
       # and overall topic discussion for why this is necessary.
@@ -363,7 +388,7 @@ jobs:
         if: ${{ failure() && steps.envoy-integration-tests.conclusion == 'failure' }}
         uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         with:
-          name: envoy-${{ matrix.envoy-version }}-logs-${{ env.artifact_id }}
+          name: envoy-${{ matrix.envoy-version }}-${{ matrix.ip-version }}-logs-${{ env.artifact_id }}
           path: test/integration/connect/envoy/workdir/logs/
 
       # NOTE: ENT specific step as we store secrets in Vault.

@@ -27,6 +27,7 @@ GCI_VERSION='v0.11.2'
 MOCKED_PB_DIRS= pbdns
 
 GOTAGS ?=
+IPV6 ?= false
 GOPATH=$(shell go env GOPATH)
 GOARCH?=$(shell go env GOARCH)
 MAIN_GOPATH=$(shell go env GOPATH | cut -d: -f1)
@@ -365,11 +366,13 @@ other-consul: ## Checking for other consul instances
 
 # Use GO_TEST_FLAGS to run specific tests:
 #      make test-envoy-integ GO_TEST_FLAGS="-run TestEnvoy/case-basic"
+# Use IPV6=true to enable IPv6 testing:
+#      make test-envoy-integ IPV6=true GO_TEST_FLAGS="-run TestEnvoy/case-basic"
 # NOTE: Always uses amd64 images, even when running on M1 macs, to match CI/CD environment.
 #       You can also specify the envoy version (example: 1.27.0) setting the environment variable: ENVOY_VERSION=1.27.0
 .PHONY: test-envoy-integ
 test-envoy-integ: $(ENVOY_INTEG_DEPS) ## Run envoy integration tests.
-	@go test -v -timeout=30m -tags integration $(GO_TEST_FLAGS) ./test/integration/connect/envoy
+	@go test -v -timeout=30m -tags integration ./test/integration/connect/envoy $(GO_TEST_FLAGS) -ipv6=$(IPV6)
 
 # NOTE: Use DOCKER_BUILDKIT=0, if docker build fails to resolve consul:local base image
 .PHONY: test-compat-integ-setup

@@ -13,7 +13,7 @@ load helpers
 
 @test "api gateway should be bound to route one" {
   assert_config_entry_status Bound True Bound primary http-route api-gateway-route-one
-  assert_upstream_has_endpoints_in_status 127.0.0.1:20000 s1 HEALTHY 1
+  assert_upstream_has_endpoints_in_status localhost:20000 s1 HEALTHY 1
 }
 
 @test "api gateway should be bound to route two" {

@@ -13,12 +13,12 @@ load helpers
 
 @test "api gateway should have healthy endpoints for s1" {
   assert_config_entry_status Bound True Bound primary http-route api-gateway-route-one
-  assert_upstream_has_endpoints_in_status 127.0.0.1:20000 s1 HEALTHY 1
+  assert_upstream_has_endpoints_in_status localhost:20000 s1 HEALTHY 1
 }
 
 @test "api gateway should have healthy endpoints for s2" {
   assert_config_entry_status Bound True Bound primary http-route api-gateway-route-two
-  assert_upstream_has_endpoints_in_status 127.0.0.1:20000 s2 HEALTHY 1
+  assert_upstream_has_endpoints_in_status localhost:20000 s2 HEALTHY 1
 }
 
 @test "api gateway should be able to connect to s1 via configured port" {

@@ -13,7 +13,7 @@ load helpers
 
 @test "api gateway should have healthy endpoints for s1" {
   assert_config_entry_status Bound True Bound primary http-route api-gateway-route-one
-  assert_upstream_has_endpoints_in_status 127.0.0.1:20000 s1 HEALTHY 1
+  assert_upstream_has_endpoints_in_status localhost:20000 s1 HEALTHY 1
 }
 
 @test "api gateway should be able to connect to s1, s2, and s3 via configured port" {

@@ -13,12 +13,12 @@ load helpers
 
 @test "api gateway should have healthy endpoints for s1" {
   assert_config_entry_status Bound True Bound primary http-route api-gateway-route-one
-  assert_upstream_has_endpoints_in_status 127.0.0.1:20000 s1 HEALTHY 1
+  assert_upstream_has_endpoints_in_status localhost:20000 s1 HEALTHY 1
 }
 
 @test "api gateway should have healthy endpoints for s2" {
   assert_config_entry_status Bound True Bound primary http-route api-gateway-route-two
-  assert_upstream_has_endpoints_in_status 127.0.0.1:20000 s2 HEALTHY 1
+  assert_upstream_has_endpoints_in_status localhost:20000 s2 HEALTHY 1
 }
 
 @test "api gateway should be able to connect to s1 via configured port" {

@@ -13,7 +13,7 @@ load helpers
 
 @test "api gateway should have healthy endpoints for s1" {
   assert_config_entry_status Bound True Bound primary http-route api-gateway-route-one
-  assert_upstream_has_endpoints_in_status 127.0.0.1:20000 s1 HEALTHY 1
+  assert_upstream_has_endpoints_in_status localhost:20000 s1 HEALTHY 1
 }
 
 @test "api-gateway should have lua filter configured" {

@@ -20,7 +20,7 @@ load helpers
 }
 
 @test "api gateway should have healthy endpoints for s1" {
-  assert_upstream_has_endpoints_in_status 127.0.0.1:20000 s1 HEALTHY 1
+  assert_upstream_has_endpoints_in_status localhost:20000 s1 HEALTHY 1
 }
 
 @test "api gateway should be able to connect to s1 with normal headers" {

@@ -20,7 +20,7 @@ load helpers
 }
 
 @test "api gateway should have healthy endpoints for s1" {
-  assert_upstream_has_endpoints_in_status 127.0.0.1:20000 s1 HEALTHY 1
+  assert_upstream_has_endpoints_in_status localhost:20000 s1 HEALTHY 1
 }
 
 @test "api gateway should be able to connect to s1 with normal headers" {

@@ -12,9 +12,9 @@ load helpers
 }
 
 @test "api gateway should have no healthy endpoints for s1" {
-  assert_upstream_missing 127.0.0.1:20000 s1
+  assert_upstream_missing localhost:20000 s1
 }
 
 @test "api gateway should have no healthy endpoints for s2" {
-  assert_upstream_missing 127.0.0.1:20000 s2
+  assert_upstream_missing localhost:20000 s2
 }
@@ -13,12 +13,12 @@ load helpers
 
 @test "api gateway should have healthy endpoints for s1" {
   assert_config_entry_status Bound True Bound primary tcp-route api-gateway-route-one
-  assert_upstream_has_endpoints_in_status 127.0.0.1:20000 s1 HEALTHY 1
+  assert_upstream_has_endpoints_in_status localhost:20000 s1 HEALTHY 1
 }
 
 @test "api gateway should have healthy endpoints for s2" {
   assert_config_entry_status Bound True Bound primary tcp-route api-gateway-route-two
-  assert_upstream_has_endpoints_in_status 127.0.0.1:20000 s2 HEALTHY 1
+  assert_upstream_has_endpoints_in_status localhost:20000 s2 HEALTHY 1
 }
 
 @test "api gateway should be able to connect to s1 via configured port" {

@@ -13,12 +13,12 @@ load helpers
 
 @test "api gateway should have healthy endpoints for s1" {
   assert_config_entry_status Bound True Bound primary tcp-route api-gateway-route-one
-  assert_upstream_has_endpoints_in_status 127.0.0.1:20000 s1 HEALTHY 1
+  assert_upstream_has_endpoints_in_status localhost:20000 s1 HEALTHY 1
 }
 
 @test "api gateway should have healthy endpoints for s2" {
   assert_config_entry_status Bound True Bound primary tcp-route api-gateway-route-two
-  assert_upstream_has_endpoints_in_status 127.0.0.1:20000 s2 HEALTHY 1
+  assert_upstream_has_endpoints_in_status localhost:20000 s2 HEALTHY 1
 }
 
 @test "api gateway should be able to connect to s1 via configured port" {

@@ -23,7 +23,7 @@ load helpers
 }
 
 @test "s1 upstream should have healthy endpoints for s2" {
-  assert_upstream_has_endpoints_in_status 127.0.0.1:19000 s2.default.primary HEALTHY 1
+  assert_upstream_has_endpoints_in_status localhost:19000 s2.default.primary HEALTHY 1
 }
 
 @test "s2 should have network rbac rules loaded from xDS" {

@@ -27,7 +27,7 @@ load helpers
 }
 
 @test "s1 upstream should have healthy endpoints for s2" {
-  assert_upstream_has_endpoints_in_status 127.0.0.1:19000 s2.default.primary HEALTHY 1
+  assert_upstream_has_endpoints_in_status localhost:19000 s2.default.primary HEALTHY 1
 }
 
 @test "s1 upstream should be able to connect to s2" {

@@ -23,7 +23,7 @@ load helpers
 }
 
 @test "s1 upstream should have healthy endpoints for s2" {
-  assert_upstream_has_endpoints_in_status 127.0.0.1:19000 s2.default.primary HEALTHY 1
+  assert_upstream_has_endpoints_in_status localhost:19000 s2.default.primary HEALTHY 1
 }
 
 @test "s1 upstream should be able to connect to s2 with http/1.1" {

@@ -46,8 +46,8 @@ load helpers
 # Failover
 
 @test "s1 upstream should have healthy endpoints for s2 in both primary and failover" {
-  assert_upstream_has_endpoints_in_status 127.0.0.1:19000 failover-target~0~s2.default.primary.internal HEALTHY 1
-  assert_upstream_has_endpoints_in_status 127.0.0.1:19000 failover-target~1~s2.default.primary.internal HEALTHY 1
+  assert_upstream_has_endpoints_in_status localhost:19000 failover-target~0~s2.default.primary.internal HEALTHY 1
+  assert_upstream_has_endpoints_in_status localhost:19000 failover-target~1~s2.default.primary.internal HEALTHY 1
 }
 
 @test "s1 upstream should be able to connect to s2" {
@@ -57,7 +57,7 @@ load helpers
 }
 
 @test "s1 upstream made 1 connection" {
-  assert_envoy_metric_at_least 127.0.0.1:19000 "cluster.failover-target~0~s2.default.primary.internal.*cx_total" 1
+  assert_envoy_metric_at_least localhost:19000 "cluster.failover-target~0~s2.default.primary.internal.*cx_total" 1
 }
 
 @test "terminate instance of s2 primary envoy which should trigger failover to s2 alpha when the tcp check fails" {
@@ -69,12 +69,12 @@ load helpers
 }
 
 @test "s1 upstream should have healthy endpoints for s2 in the failover cluster peer" {
-  assert_upstream_has_endpoints_in_status 127.0.0.1:19000 failover-target~0~s2.default.primary.internal UNHEALTHY 1
-  assert_upstream_has_endpoints_in_status 127.0.0.1:19000 failover-target~1~s2.default.primary.internal HEALTHY 1
+  assert_upstream_has_endpoints_in_status localhost:19000 failover-target~0~s2.default.primary.internal UNHEALTHY 1
+  assert_upstream_has_endpoints_in_status localhost:19000 failover-target~1~s2.default.primary.internal HEALTHY 1
 }
 
 @test "reset envoy statistics for failover" {
-  reset_envoy_metrics 127.0.0.1:19000
+  reset_envoy_metrics localhost:19000
 }
 
 @test "gateway-alpha should have healthy endpoints for s2" {
@@ -88,17 +88,17 @@ load helpers
 }
 
 @test "s1 upstream made 1 connection to s2 through the cluster peer" {
-  assert_envoy_metric_at_least 127.0.0.1:19000 "cluster.failover-target~1~s2.default.primary.internal.*cx_total" 1
+  assert_envoy_metric_at_least localhost:19000 "cluster.failover-target~1~s2.default.primary.internal.*cx_total" 1
 }
 
 # Redirect
 
 @test "reset envoy statistics for redirect" {
-  reset_envoy_metrics 127.0.0.1:19000
+  reset_envoy_metrics localhost:19000
 }
 
 @test "s1 upstream should have healthy endpoints for s2 (virtual-s2) in the cluster peer" {
-  assert_upstream_has_endpoints_in_status 127.0.0.1:19000 s2.default.primary-to-alpha.external HEALTHY 1
+  assert_upstream_has_endpoints_in_status localhost:19000 s2.default.primary-to-alpha.external HEALTHY 1
 }
 
 @test "s1 upstream should be able to connect to s2 via virtual-s2" {
@@ -108,5 +108,5 @@ load helpers
 }
 
 @test "s1 upstream made 1 connection to s2 via virtual-s2 through the cluster peer" {
-  assert_envoy_metric_at_least 127.0.0.1:19000 "cluster.s2.default.primary-to-alpha.external.*cx_total" 1
+  assert_envoy_metric_at_least localhost:19000 "cluster.s2.default.primary-to-alpha.external.*cx_total" 1
 }