Deploying `linkerd2-cni` with IPv6 doesn't work

[JihadMotii-REISys]

What is the issue?

I'm currently deploying linkerd2-cni helm chart through ArgoCD on AWS EKS 1.32 (self-managed-node) as follow:

kind: Application
metadata:
  name: linkerd-cni
  namespace: argocd
  annotations:
    argocd.argoproj.io/sync-wave: "-1"
spec:
  project: default
  destination:
    namespace: linkerd-cni
    server: {{ .Values.destination.cluster }}
  source:
    chart: linkerd2-cni
    repoURL: https://helm.linkerd.io/edge
    targetRevision: 2025.1.2
    helm:
      values: |
        # https://linkerd.io/2-edge/features/ipv6/
        # Enable IPv6 Support
        disableIPv6: false
  syncPolicy:
    automated:
      prune: true # Specifies if resources should be pruned during auto-syncing ( false by default ).
      selfHeal: true # Specifies if partial app sync should be executed when resources are changed only in target Kubernetes cluster and no git change detected ( false by default ).
    syncOptions: # Sync options which modifies sync behavior
      - Validate=false # disables resource validation (equivalent to 'kubectl apply --validate=true')

This works fine for the first time deployment. However, as soon as I delete this application or uninstall this helm chart then redeploy it again against the same EKS Cluster, it throws the following error message:

Failed to create pod sandbox: rpc error: code = Unknown desc = failed to setup network for sandbox "4f6f0517034f255f3b4831091540a8f2cdcfae02944353350c9eee14828cbbef": plugin type="linkerd-cni" name="linkerd-cni" failed (add): Unauthorized

How can it be reproduced?

Deploy the linkerd2-cni helm chart for first time then delete this helm chart after that re-install it again and it will throw the error message below.

Logs, error output, etc

Failed to create pod sandbox: rpc error: code = Unknown desc = failed to setup network for sandbox "4f6f0517034f255f3b4831091540a8f2cdcfae02944353350c9eee14828cbbef": plugin type="linkerd-cni" name="linkerd-cni" failed (add): Unauthorized

output of linkerd check -o short

-----------------
× 'linkerd-config' config map exists
    configmaps "linkerd-config" not found
    see https://linkerd.io/2.14/checks/#l5d-existence-linkerd-config for hints

Environment

• Kubernetes: 1.32
• Cluster Environment: EKS
• Host OS: AL2
• Linkerd Version: edge-25-1-2 same as the latest version 25-3-1

Possible solution

No response

Additional context

No response

Would you like to work on fixing this bug?

None

[alpeb]

This was fixed in linkerd-cni v1.6.2, which comes with linkerd-edge-25.3.1. Unfortunately, for the fix to be effective it requires the linkerd-cni daemonset to be deployed into new nodes. If that's not an option, we can provide instructions on how to fix existing nodes.

[jdinsel-xealth]

linkerd-cni v2025.3.1 still contains linkerd-cni v1.6.0. This is broken in that version and deploying it does not appear to be revertable. The first linkerd-cni pod to come online stays in an Unauthorized state.

The idea of replacing the node did succeed. Thanks for posting that @alpeb . I have successfully downgraded. Maybe I spoke too soon. The issue moved to another legacy node. Looks like I will have to drain and delete all of the old nodes.

[alpeb]

Sorry about the inconvenience. Closing this one out then, let me know if you still experience any trouble.

[jdinsel-xealth]

I don't understand the current advice to upgrade beyond this issue. The latest helm release is still v2025.3.1 which includes edge-25.3.1. I witnessed this deploy linkerd-cni v1.6.0 containers. The comment stated that linkerd-cni v1.6.2 has the fix and is included in edge-25.3.1, but that isn't what the helm charts are saying. At least not at https://helm.linkerd.io/stable or https://helm.linkerd.io/edge

[alpeb]

$ helm repo add linkerd-edge https://helm.linkerd.io/edge
"linkerd-edge" has been added to your repositories
$ helm show values linkerd-edge/linkerd2-cni | grep -B3 version
  # -- Docker image for the CNI plugin
  name: "cr.l5d.io/linkerd/cni-plugin"
  # -- Tag for the CNI container Docker image
  version: "v1.6.2"

[jdinsel-xealth]

My experience was that the image version 1.6.0 was stuck during the helm chart upgrade. Could this have been an issue resulting from having upgraded to v2025.2.3 and then trying v2025.3.1? We had image 1.6.0 stuck during the upgrade.

[jdinsel-xealth]

I retried the upgrade to v2025.3.1 and it failed with the Unauthorized issue. I confirmed that the pod was v1.6.2 during this rollout. @alpeb, I would like to try the instructions that were mentioned for how to roll this out to nodes without creating new nodes. I was unsuccessful with draining a node and deleting it.