[feat] Add IPv6 public backends for NodeBalancers

[komer3]

Summary

• add IPv6 backend support for NodeBalancer services using node public IPv6 SLAAC addresses
• keep the backend selection explicit through controller flag and service annotation without implying VPC IPv6 backend support
• add controller/chart/docs and e2e coverage for the IPv6 backend behavior

Behavior

• introduces --enable-ipv6-for-nodebalancer-backends as a global controller flag
• introduces service.beta.kubernetes.io/linode-loadbalancer-enable-ipv6-backends as a per-service override
• applies IPv6 backend selection to NodeBalancer services by using node public IPv6 SLAAC addresses
• does not add support for VPC IPv6 backends or rely on VPC subnet configuration for backend programming
• enabling the global flag can migrate existing eligible services from IPv4 to IPv6 backends during reconcile
• requires the selected public IPv6 address on each backend node and returns an error instead of silently falling back to IPv4
• uses IPv6-safe backend host:port formatting for NodeBalancer node addresses

Code Changes

• add the new service annotation constant in cloud/annotations/annotations.go
• add the new controller option in cloud/linode/options/options.go and register the flag in main.go
• update cloud/linode/loadbalancers.go to:
  • resolve IPv6 backend selection from the service annotation first, then the global flag
  • choose IPv6 node addresses using the existing node-address path for public IPv6 backends
  • keep backend selection focused on public IPv6 SLAAC addresses rather than VPC IPv6 backend support
  • rebuild backend node configs with IPv6-safe address formatting
• add Helm chart support for the new controller flag in deploy/chart/templates/daemonset.yaml and deploy/chart/values.yaml
• document the feature and backend behavior in docs/configuration/loadbalancer.md, docs/configuration/environment.md, and docs/configuration/annotations.md
• ignore local generated cluster artifacts in .gitignore

Tests

Unit

• extend cloud/linode/loadbalancers_test.go with coverage for:
  • IPv4 backend selection for the existing path
  • IPv6 backend selection from node IPv6 addresses
  • preserving the existing NodeBalancer request behavior while selecting public IPv6 backends via annotation or global flag
  • failing when IPv6 backends are requested and a node lacks the required public IPv6 address
  • global flag and service annotation precedence
  • IPv6-safe backend address formatting

E2E

• add a new Chainsaw scenario under e2e/test/lb-with-ipv6-backends/
• deploy a dual-stack LoadBalancer service annotated with linode-loadbalancer-enable-ipv6-backends: "true"
• verify NodeBalancer backend node addresses returned by the Linode API are IPv6
• verify traffic still reaches both backend pods through the service

Verification

• go test ./cloud/linode/...
• make test

[codecov]

Codecov Report

❌ Patch coverage is 86.95652% with 9 lines in your changes missing coverage. Please review.
✅ Project coverage is 73.62%. Comparing base (c023298) to head (5af9bbf).

Files with missing lines	Patch %	Lines
cloud/linode/loadbalancers.go	86.95%	6 Missing and 3 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #545      +/-   ##
==========================================
+ Coverage   73.43%   73.62%   +0.19%     
==========================================
  Files          19       19              
  Lines        2906     2927      +21     
==========================================
+ Hits         2134     2155      +21     
  Misses        523      523              
  Partials      249      249              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull request overview

Adds opt-in support for programming Linode NodeBalancer backends with node public IPv6 addresses, controlled via a new global controller flag and a per-Service annotation, with accompanying Helm, docs, and e2e/unit test updates.

Changes:

• Introduces --enable-ipv6-for-nodebalancer-backends and service.beta.kubernetes.io/linode-loadbalancer-enable-ipv6-backends.
• Updates NodeBalancer backend node resolution + address formatting to support IPv6 backends (including when VPC-backed NodeBalancers are enabled).
• Adds documentation, Helm values/template wiring, and new unit/e2e coverage for IPv6 backend behavior.

Reviewed changes

Copilot reviewed 14 out of 16 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
main.go	Registers the new global flag for enabling IPv6 NodeBalancer backends.
cloud/linode/options/options.go	Adds controller option field for IPv6 backend enablement.
cloud/annotations/annotations.go	Adds the new Service annotation constant for IPv6 backend selection.
cloud/linode/loadbalancers.go	Implements IPv6 backend selection/formatting and preserves VPC config while reconciling backends.
cloud/linode/loadbalancers_test.go	Adds unit tests for backend IP selection, VPC preservation, and IPv6-safe host:port formatting.
deploy/chart/templates/daemonset.yaml	Wires Helm value to the new controller flag argument.
deploy/chart/values.yaml	Documents the new Helm value and its operational behavior.
docs/configuration/loadbalancer.md	Documents IPv6 backend behavior, prerequisites, and examples.
docs/configuration/environment.md	Documents the new controller flag in the environment/flags reference.
docs/configuration/annotations.md	Documents the new Service annotation in the annotations reference.
e2e/test/lb-with-ipv6-backends/create-pods-services.yaml	Adds a dual-stack LB Service + backend deployment for IPv6-backend e2e coverage.
e2e/test/lb-with-ipv6-backends/chainsaw-test.yaml	Adds Chainsaw scenario asserting IPv6 backend addresses and verifying connectivity.
Makefile	Pins/uses clusterctl explicitly and updates CAP* versions and manifest generation for dual-stack e2e.
devbox.json	Pins clusterctl version for the devbox environment.
devbox.lock	Updates devbox lock to the pinned clusterctl version.
.gitignore	Ignores locally generated cluster manifests and kubeconfigs.

[eljohnson92]

I think this is still true for the spec of these resources

[komer3]

Restored this comment in 2327abf