feat: enable forwardKubeDNSToHost by default

And ensure that it works. Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
siderolabs · May 23, 2024 · fcd65ff · fcd65ff
1 parent 2e64e9e
commit fcd65ff
Show file tree

Hide file tree

Showing 9 changed files with 46 additions and 2 deletions.
diff --git a/hack/release.toml b/hack/release.toml
@@ -31,6 +31,23 @@ Talos is built with Go 1.22.3.
         description = """\
 Talos Linux now compresses kernel and initramfs using ZSTD.
 Linux arm64 kernel is now compressed (previously it was uncompressed).
+"""
+
+    [notes.forward-kube-dns-to-host]
+        title = "DNS Forwarding for CoreDNS pods"
+        description = """\
+Usage of the host DNS resolver as upstream for Kubernetes CoreDNS pods is now enabled by default. You can disable it
+with:
+
+```yaml
+machine:
+  features:
+    hostDNS:
+      enabled: true
+      forwardKubeDNSToHost: false
+```
+
+Please note that on running cluster you will have to kill CoreDNS pods for this change to apply.
 """
 
 [make_deps]

diff --git a/pkg/machinery/config/contract.go b/pkg/machinery/config/contract.go
@@ -149,3 +149,8 @@ func (contract *VersionContract) UseRSAServiceAccountKey() bool {
 func (contract *VersionContract) ClusterNameForWorkers() bool {
 	return contract.Greater(TalosVersion1_7)
 }
+
+// HostDNSForwardKubeDNSToHost returns true if version of Talos forces host dns router to be used as upstream for Kubernetes CoreDNS pods.
+func (contract *VersionContract) HostDNSForwardKubeDNSToHost() bool {
+	return contract.Greater(TalosVersion1_7)
+}
diff --git a/pkg/machinery/config/contract_test.go b/pkg/machinery/config/contract_test.go
@@ -61,6 +61,7 @@ func TestContractCurrent(t *testing.T) {
 	assert.True(t, contract.HostDNSEnabled())
 	assert.True(t, contract.UseRSAServiceAccountKey())
 	assert.True(t, contract.ClusterNameForWorkers())
+	assert.True(t, contract.HostDNSForwardKubeDNSToHost())
 }
 
 func TestContract1_8(t *testing.T) {
@@ -81,6 +82,7 @@ func TestContract1_8(t *testing.T) {
 	assert.True(t, contract.HostDNSEnabled())
 	assert.True(t, contract.UseRSAServiceAccountKey())
 	assert.True(t, contract.ClusterNameForWorkers())
+	assert.True(t, contract.HostDNSForwardKubeDNSToHost())
 }
 
 func TestContract1_7(t *testing.T) {
@@ -101,6 +103,7 @@ func TestContract1_7(t *testing.T) {
 	assert.True(t, contract.HostDNSEnabled())
 	assert.True(t, contract.UseRSAServiceAccountKey())
 	assert.False(t, contract.ClusterNameForWorkers())
+	assert.False(t, contract.HostDNSForwardKubeDNSToHost())
 }
 
 func TestContract1_6(t *testing.T) {
@@ -121,6 +124,7 @@ func TestContract1_6(t *testing.T) {
 	assert.False(t, contract.HostDNSEnabled())
 	assert.False(t, contract.UseRSAServiceAccountKey())
 	assert.False(t, contract.ClusterNameForWorkers())
+	assert.False(t, contract.HostDNSForwardKubeDNSToHost())
 }
 
 func TestContract1_5(t *testing.T) {
@@ -141,6 +145,7 @@ func TestContract1_5(t *testing.T) {
 	assert.False(t, contract.HostDNSEnabled())
 	assert.False(t, contract.UseRSAServiceAccountKey())
 	assert.False(t, contract.ClusterNameForWorkers())
+	assert.False(t, contract.HostDNSForwardKubeDNSToHost())
 }
 
 func TestContract1_4(t *testing.T) {
@@ -161,6 +166,7 @@ func TestContract1_4(t *testing.T) {
 	assert.False(t, contract.HostDNSEnabled())
 	assert.False(t, contract.UseRSAServiceAccountKey())
 	assert.False(t, contract.ClusterNameForWorkers())
+	assert.False(t, contract.HostDNSForwardKubeDNSToHost())
 }
 
 func TestContract1_3(t *testing.T) {
@@ -181,6 +187,7 @@ func TestContract1_3(t *testing.T) {
 	assert.False(t, contract.HostDNSEnabled())
 	assert.False(t, contract.UseRSAServiceAccountKey())
 	assert.False(t, contract.ClusterNameForWorkers())
+	assert.False(t, contract.HostDNSForwardKubeDNSToHost())
 }
 
 func TestContract1_2(t *testing.T) {
@@ -201,6 +208,7 @@ func TestContract1_2(t *testing.T) {
 	assert.False(t, contract.HostDNSEnabled())
 	assert.False(t, contract.UseRSAServiceAccountKey())
 	assert.False(t, contract.ClusterNameForWorkers())
+	assert.False(t, contract.HostDNSForwardKubeDNSToHost())
 }
 
 func TestContract1_1(t *testing.T) {
@@ -221,6 +229,7 @@ func TestContract1_1(t *testing.T) {
 	assert.False(t, contract.HostDNSEnabled())
 	assert.False(t, contract.UseRSAServiceAccountKey())
 	assert.False(t, contract.ClusterNameForWorkers())
+	assert.False(t, contract.HostDNSForwardKubeDNSToHost())
 }
 
 func TestContract1_0(t *testing.T) {
@@ -241,4 +250,5 @@ func TestContract1_0(t *testing.T) {
 	assert.False(t, contract.HostDNSEnabled())
 	assert.False(t, contract.UseRSAServiceAccountKey())
 	assert.False(t, contract.ClusterNameForWorkers())
+	assert.False(t, contract.HostDNSForwardKubeDNSToHost())
 }
diff --git a/pkg/machinery/config/generate/init.go b/pkg/machinery/config/generate/init.go
@@ -96,7 +96,7 @@ func (in *Input) init() ([]config.Document, error) {
 	if in.Options.VersionContract.HostDNSEnabled() {
 		machine.MachineFeatures.HostDNSSupport = &v1alpha1.HostDNSConfig{
 			HostDNSEnabled:              pointer.To(true),
-			HostDNSForwardKubeDNSToHost: in.Options.HostDNSForwardKubeDNSToHost.Ptr(),
+			HostDNSForwardKubeDNSToHost: ptrOrNil(in.Options.HostDNSForwardKubeDNSToHost.ValueOrZero() || in.Options.VersionContract.HostDNSForwardKubeDNSToHost()),
 		}
 	}
 
@@ -229,3 +229,11 @@ func (in *Input) init() ([]config.Document, error) {
 
 	return []config.Document{v1alpha1Config}, nil
 }
+
+func ptrOrNil(b bool) *bool {
+	if b {
+		return &b
+	}
+
+	return nil
+}
diff --git a/pkg/machinery/config/generate/worker.go b/pkg/machinery/config/generate/worker.go
@@ -97,7 +97,7 @@ func (in *Input) worker() ([]config.Document, error) {
 	if in.Options.VersionContract.HostDNSEnabled() {
 		machine.MachineFeatures.HostDNSSupport = &v1alpha1.HostDNSConfig{
 			HostDNSEnabled:              pointer.To(true),
-			HostDNSForwardKubeDNSToHost: in.Options.HostDNSForwardKubeDNSToHost.Ptr(),
+			HostDNSForwardKubeDNSToHost: ptrOrNil(in.Options.HostDNSForwardKubeDNSToHost.ValueOrZero() || in.Options.VersionContract.HostDNSForwardKubeDNSToHost()),
 		}
 	}
 

diff --git a/pkg/machinery/config/types/v1alpha1/testdata/stability/v1.8/base-controlplane.yaml b/pkg/machinery/config/types/v1alpha1/testdata/stability/v1.8/base-controlplane.yaml
@@ -25,6 +25,7 @@ machine:
             port: 7445
         hostDNS:
             enabled: true
+            forwardKubeDNSToHost: true
 cluster:
     id: 0raF93qnkMvF-FZNuvyGozXNdLiT2FOWSlyBaW4PR-w=
     secret: pofHbABZq7VXuObsdLdy/bHmz6hlMHZ3p8+6WKrv1ic=

diff --git a/pkg/machinery/config/types/v1alpha1/testdata/stability/v1.8/base-worker.yaml b/pkg/machinery/config/types/v1alpha1/testdata/stability/v1.8/base-worker.yaml
@@ -25,6 +25,7 @@ machine:
             port: 7445
         hostDNS:
             enabled: true
+            forwardKubeDNSToHost: true
 cluster:
     id: 0raF93qnkMvF-FZNuvyGozXNdLiT2FOWSlyBaW4PR-w=
     secret: pofHbABZq7VXuObsdLdy/bHmz6hlMHZ3p8+6WKrv1ic=

diff --git a/pkg/machinery/config/types/v1alpha1/testdata/stability/v1.8/overrides-controlplane.yaml b/pkg/machinery/config/types/v1alpha1/testdata/stability/v1.8/overrides-controlplane.yaml
@@ -44,6 +44,7 @@ machine:
             port: 7445
         hostDNS:
             enabled: true
+            forwardKubeDNSToHost: true
 cluster:
     id: 0raF93qnkMvF-FZNuvyGozXNdLiT2FOWSlyBaW4PR-w=
     secret: pofHbABZq7VXuObsdLdy/bHmz6hlMHZ3p8+6WKrv1ic=

diff --git a/pkg/machinery/config/types/v1alpha1/testdata/stability/v1.8/overrides-worker.yaml b/pkg/machinery/config/types/v1alpha1/testdata/stability/v1.8/overrides-worker.yaml
@@ -44,6 +44,7 @@ machine:
             port: 7445
         hostDNS:
             enabled: true
+            forwardKubeDNSToHost: true
 cluster:
     id: 0raF93qnkMvF-FZNuvyGozXNdLiT2FOWSlyBaW4PR-w=
     secret: pofHbABZq7VXuObsdLdy/bHmz6hlMHZ3p8+6WKrv1ic=