Kubernetes operator: ingress proxies don't work in clusters with IPv6 Service IP range

[irbekrm]

What is the issue?

For the ingress proxies we set up iptables/nftables rules to forward traffic received on proxy's tailnet IP to the cluster backend Service's Cluster IP address.
A proxy gets assigned both a tailnet IPv4 and IPv6 tailnet addresses. We set the proxy forwarding rules for the IP address family of the backend Service only (see here).
This means that if the backend Service has an IPv6 address only the traffic received on proxy's IPv4 tailnet address is not being forwarded.

Steps to reproduce

1. Set up a Kubernetes cluster with IPv6 address range for Services
2. Expose a Service via tailscale load balancer class
3. Retrieve the proxy's MagicDNS name and IPv4 and IPv6 address, in my example

 $kubectl get svc
NAME          TYPE           CLUSTER-IP             EXTERNAL-IP                                                    PORT(S)          AGE
kuard1        LoadBalancer   fdb9:b3b6:81ce::b391   fd7a:115c:a1e0::7501:7453,kuard1-9.<my-tailnet>.ts.net            80:30968/TCP     17h

4. Exec the proxy Pod and observe that the firewall rules are only set up to forward traffic received on the IPv6 tailnet address of the proxy

$ iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination      
....
$ / # ip6tables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       all  --  anywhere             fd7a:115c:a1e0::7501:7453  to:fdb9:b3b6:81ce::b391

5. Observe that trying to access the exposed cluster service via a curl from my machine to the tailnet service resolves to the IPv4 address of the proxy and does not succeed:

$ curl -vvv kuard1-9.tailbd97a.ts.net
*   Trying 100.120.116.83:80...
* connect to 100.120.116.83 port 80 failed: Connection refused
* Failed to connect to kuard1-9.tailbd97a.ts.net port 80 after 410 ms: Connection refused
* Closing connection 0
curl: (7) Failed to connect to kuard1-9.tailbd97a.ts.net port 80 after 410 ms: Connection refused

6. Observe that the exposed service can be accessed over the IPv6 address of the proxy directly

$ curl -vvv [fd7a:115c:a1e0::7501:7453]
*   Trying fd7a:115c:a1e0::7501:7453:80...
* Connected to fd7a:115c:a1e0::7501:7453 (fd7a:115c:a1e0::7501:7453) port 80 (#0)
> GET / HTTP/1.1
> Host: [fd7a:115c:a1e0::7501:7453]
> User-Agent: curl/7.81.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
....

Are there any recent changes that introduced the issue?

No- this would affect operator ingress proxies at any Tailscale version

[irbekrm]

Workaround is now documented in https://tailscale.com/kb/1236/kubernetes-operator#ipv6-support