Skip to content

Update "Upgrading a Nebula network to IPv6 overlay addresses" guide for v1.10 release #300

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jasikpark wants to merge 16 commits into
base: main
Choose a base branch
from
Open

Update "Upgrading a Nebula network to IPv6 overlay addresses" guide for v1.10 release #300

jasikpark wants to merge 16 commits into from

Conversation

@jasikpark
Copy link
Collaborator

@jasikpark jasikpark commented Dec 8, 2025
edited
Loading

Now that Nebula v1.10 is released, IPv6 support is stable, let's update the docs to reflect that.

See https://ipv6.docs-nebula.pages.dev/docs/guides/upgrade-to-cert-v2-and-ipv6/

@jasikpark jasikpark requested a review from nbrownus December 8, 2025 20:57
nbrownus
nbrownus reviewed Dec 8, 2025
View reviewed changes
@cloudflare-workers-and-pages
Copy link

cloudflare-workers-and-pages bot commented Dec 8, 2025
edited
Loading

Deploying docs-nebula with  Cloudflare Pages  Cloudflare Pages

Latest commit: 4794a18
Status: ✅  Deploy successful!
Preview URL: https://5879c4f2.docs-nebula.pages.dev
Branch Preview URL: https://ipv6.docs-nebula.pages.dev

View logs

@jasikpark jasikpark requested a review from nbrownus December 8, 2025 21:04
nbrownus
nbrownus reviewed Dec 8, 2025
View reviewed changes
@jasikpark jasikpark requested a review from nbrownus December 8, 2025 21:12
@nbrownus
Copy link

nbrownus commented Dec 8, 2025

This section is no longer correct https://github.com/DefinedNet/nebula-docs/blob/ipv6/docs/guides/upgrade-to-cert-v2-and-ipv6/index.mdx#issue-v1v2-certificates-bundles.

nebula-cert sign will default to using the CA certificate version. It is technically possible to issue a v1 certificate signed by a v2 CA but I don't think we want to teach people to do it that way.

We can also combine this step https://github.com/DefinedNet/nebula-docs/blob/ipv6/docs/guides/upgrade-to-cert-v2-and-ipv6/index.mdx#issue-v1v2-certificates-bundles with this step https://github.com/DefinedNet/nebula-docs/blob/ipv6/docs/guides/upgrade-to-cert-v2-and-ipv6/index.mdx#issue-v1v2-certificates-bundles. As long as the v1 certificate has the same ipv4 address as the v2 certificate, the v2 certificate can have additional ipv6 addresses. What might make more sense here is to show dropping support for ipv4 at the end.

@jasikpark
Copy link
Collaborator Author

jasikpark commented Dec 8, 2025

This section is no longer correct ipv6/docs/guides/upgrade-to-cert-v2-and-ipv6/index.mdx#issue-v1v2-certificates-bundles.

nebula-cert sign will default to using the CA certificate version. It is technically possible to issue a v1 certificate signed by a v2 CA but I don't think we want to teach people to do it that way.

We can also combine this step ipv6/docs/guides/upgrade-to-cert-v2-and-ipv6/index.mdx#issue-v1v2-certificates-bundles with this step ipv6/docs/guides/upgrade-to-cert-v2-and-ipv6/index.mdx#issue-v1v2-certificates-bundles. As long as the v1 certificate has the same ipv4 address as the v2 certificate, the v2 certificate can have additional ipv6 addresses. What might make more sense here is to show dropping support for ipv4 at the end.

Mind mentioning the line numbers? you linked to the same spots when saying two steps could be merged.

@nbrownus
Copy link

nbrownus commented Dec 9, 2025

Line 66 https://github.com/DefinedNet/nebula-docs/blob/ipv6/docs/guides/upgrade-to-cert-v2-and-ipv6/index.mdx#issue-v1v2-certificates-bundles

Line 201 https://github.com/DefinedNet/nebula-docs/blob/ipv6/docs/guides/upgrade-to-cert-v2-and-ipv6/index.mdx#remove-v1-certificates-from-hosts

I strongly suggest you run through the actions described in this guide to verify they have the expected outcome. They were correct up until fairly recently, mainly when we merged slackhq/nebula#1535

@jasikpark jasikpark requested a review from JackDoan December 9, 2025 16:54
@jasikpark jasikpark requested a review from johnmaguire December 9, 2025 17:10
@jasikpark
Copy link
Collaborator Author

jasikpark commented Dec 9, 2025

Can a nebula 1.10 host with a v2 cert with an ipv4 address handshake with a nebula 1.9 host with a v1 cert? I'm guessing it's only nebula 1.10 hosts that can do v1 x v2 cert interop?

@JackDoan
Copy link

JackDoan commented Dec 9, 2025

@jasikpark

correct

I just read through this and it seems good to me! A full run-through of the steps end-to-end is definitely in order, if you haven't already done that

JackDoan
JackDoan reviewed Dec 9, 2025
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JackDoan JackDoan JackDoan left review comments

@nbrownus nbrownus Awaiting requested review from nbrownus

@johnmaguire johnmaguire Awaiting requested review from johnmaguire

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jasikpark @nbrownus @JackDoan