feat: enable forwardKubeDNSToHost by default

And ensure that it works. Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
2025-10-28 06:51:34 +01:00 · 2024-05-07 23:06:26 +03:00 · 2024-05-07 23:06:26 +03:00 · fcd65ff65c
commit fcd65ff65c
parent 2e64e9e4e0
9 changed files with 46 additions and 2 deletions
--- a/hack/release.toml
+++ b/hack/release.toml
@ -31,6 +31,23 @@ Talos is built with Go 1.22.3.
        description = """\
 Talos Linux now compresses kernel and initramfs using ZSTD.
 Linux arm64 kernel is now compressed (previously it was uncompressed).
+"""
+
+    [notes.forward-kube-dns-to-host]
+        title = "DNS Forwarding for CoreDNS pods"
+        description = """\
+Usage of the host DNS resolver as upstream for Kubernetes CoreDNS pods is now enabled by default. You can disable it
+with:
+
+```yaml
+machine:
+  features:
+    hostDNS:
+      enabled: true
+      forwardKubeDNSToHost: false
+```
+
+Please note that on running cluster you will have to kill CoreDNS pods for this change to apply.
 """

 [make_deps]
--- a/pkg/machinery/config/contract.go
+++ b/pkg/machinery/config/contract.go
@ -149,3 +149,8 @@ func (contract *VersionContract) UseRSAServiceAccountKey() bool {
 func (contract *VersionContract) ClusterNameForWorkers() bool {
 	return contract.Greater(TalosVersion1_7)
 }
+
+// HostDNSForwardKubeDNSToHost returns true if version of Talos forces host dns router to be used as upstream for Kubernetes CoreDNS pods.
+func (contract *VersionContract) HostDNSForwardKubeDNSToHost() bool {
+	return contract.Greater(TalosVersion1_7)
+}
--- a/pkg/machinery/config/contract_test.go
+++ b/pkg/machinery/config/contract_test.go
@ -61,6 +61,7 @@ func TestContractCurrent(t *testing.T) {
 	assert.True(t, contract.HostDNSEnabled())
 	assert.True(t, contract.UseRSAServiceAccountKey())
 	assert.True(t, contract.ClusterNameForWorkers())
+	assert.True(t, contract.HostDNSForwardKubeDNSToHost())
 }

 func TestContract1_8(t *testing.T) {
@ -81,6 +82,7 @@ func TestContract1_8(t *testing.T) {
 	assert.True(t, contract.HostDNSEnabled())
 	assert.True(t, contract.UseRSAServiceAccountKey())
 	assert.True(t, contract.ClusterNameForWorkers())
+	assert.True(t, contract.HostDNSForwardKubeDNSToHost())
 }

 func TestContract1_7(t *testing.T) {
@ -101,6 +103,7 @@ func TestContract1_7(t *testing.T) {
 	assert.True(t, contract.HostDNSEnabled())
 	assert.True(t, contract.UseRSAServiceAccountKey())
 	assert.False(t, contract.ClusterNameForWorkers())
+	assert.False(t, contract.HostDNSForwardKubeDNSToHost())
 }

 func TestContract1_6(t *testing.T) {
@ -121,6 +124,7 @@ func TestContract1_6(t *testing.T) {
 	assert.False(t, contract.HostDNSEnabled())
 	assert.False(t, contract.UseRSAServiceAccountKey())
 	assert.False(t, contract.ClusterNameForWorkers())
+	assert.False(t, contract.HostDNSForwardKubeDNSToHost())
 }

 func TestContract1_5(t *testing.T) {
@ -141,6 +145,7 @@ func TestContract1_5(t *testing.T) {
 	assert.False(t, contract.HostDNSEnabled())
 	assert.False(t, contract.UseRSAServiceAccountKey())
 	assert.False(t, contract.ClusterNameForWorkers())
+	assert.False(t, contract.HostDNSForwardKubeDNSToHost())
 }

 func TestContract1_4(t *testing.T) {
@ -161,6 +166,7 @@ func TestContract1_4(t *testing.T) {
 	assert.False(t, contract.HostDNSEnabled())
 	assert.False(t, contract.UseRSAServiceAccountKey())
 	assert.False(t, contract.ClusterNameForWorkers())
+	assert.False(t, contract.HostDNSForwardKubeDNSToHost())
 }

 func TestContract1_3(t *testing.T) {
@ -181,6 +187,7 @@ func TestContract1_3(t *testing.T) {
 	assert.False(t, contract.HostDNSEnabled())
 	assert.False(t, contract.UseRSAServiceAccountKey())
 	assert.False(t, contract.ClusterNameForWorkers())
+	assert.False(t, contract.HostDNSForwardKubeDNSToHost())
 }

 func TestContract1_2(t *testing.T) {
@ -201,6 +208,7 @@ func TestContract1_2(t *testing.T) {
 	assert.False(t, contract.HostDNSEnabled())
 	assert.False(t, contract.UseRSAServiceAccountKey())
 	assert.False(t, contract.ClusterNameForWorkers())
+	assert.False(t, contract.HostDNSForwardKubeDNSToHost())
 }

 func TestContract1_1(t *testing.T) {
@ -221,6 +229,7 @@ func TestContract1_1(t *testing.T) {
 	assert.False(t, contract.HostDNSEnabled())
 	assert.False(t, contract.UseRSAServiceAccountKey())
 	assert.False(t, contract.ClusterNameForWorkers())
+	assert.False(t, contract.HostDNSForwardKubeDNSToHost())
 }

 func TestContract1_0(t *testing.T) {
@ -241,4 +250,5 @@ func TestContract1_0(t *testing.T) {
 	assert.False(t, contract.HostDNSEnabled())
 	assert.False(t, contract.UseRSAServiceAccountKey())
 	assert.False(t, contract.ClusterNameForWorkers())
+	assert.False(t, contract.HostDNSForwardKubeDNSToHost())
 }
--- a/pkg/machinery/config/generate/init.go
+++ b/pkg/machinery/config/generate/init.go
@ -96,7 +96,7 @@ func (in *Input) init() ([]config.Document, error) {
 	if in.Options.VersionContract.HostDNSEnabled() {
 		machine.MachineFeatures.HostDNSSupport = &v1alpha1.HostDNSConfig{
 			HostDNSEnabled:              pointer.To(true),
-			HostDNSForwardKubeDNSToHost: in.Options.HostDNSForwardKubeDNSToHost.Ptr(),
+			HostDNSForwardKubeDNSToHost: ptrOrNil(in.Options.HostDNSForwardKubeDNSToHost.ValueOrZero() || in.Options.VersionContract.HostDNSForwardKubeDNSToHost()),
 		}
 	}

@ -229,3 +229,11 @@ func (in *Input) init() ([]config.Document, error) {

 	return []config.Document{v1alpha1Config}, nil
 }
+
+func ptrOrNil(b bool) *bool {
+	if b {
+		return &b
+	}
+
+	return nil
+}
--- a/pkg/machinery/config/generate/worker.go
+++ b/pkg/machinery/config/generate/worker.go
@ -97,7 +97,7 @@ func (in *Input) worker() ([]config.Document, error) {
 	if in.Options.VersionContract.HostDNSEnabled() {
 		machine.MachineFeatures.HostDNSSupport = &v1alpha1.HostDNSConfig{
 			HostDNSEnabled:              pointer.To(true),
-			HostDNSForwardKubeDNSToHost: in.Options.HostDNSForwardKubeDNSToHost.Ptr(),
+			HostDNSForwardKubeDNSToHost: ptrOrNil(in.Options.HostDNSForwardKubeDNSToHost.ValueOrZero() || in.Options.VersionContract.HostDNSForwardKubeDNSToHost()),
 		}
 	}

--- a/pkg/machinery/config/types/v1alpha1/testdata/stability/v1.8/base-controlplane.yaml
+++ b/pkg/machinery/config/types/v1alpha1/testdata/stability/v1.8/base-controlplane.yaml
@ -25,6 +25,7 @@ machine:
            port: 7445
        hostDNS:
            enabled: true
+            forwardKubeDNSToHost: true
 cluster:
    id: 0raF93qnkMvF-FZNuvyGozXNdLiT2FOWSlyBaW4PR-w=
    secret: pofHbABZq7VXuObsdLdy/bHmz6hlMHZ3p8+6WKrv1ic=
--- a/pkg/machinery/config/types/v1alpha1/testdata/stability/v1.8/base-worker.yaml
+++ b/pkg/machinery/config/types/v1alpha1/testdata/stability/v1.8/base-worker.yaml
@ -25,6 +25,7 @@ machine:
            port: 7445
        hostDNS:
            enabled: true
+            forwardKubeDNSToHost: true
 cluster:
    id: 0raF93qnkMvF-FZNuvyGozXNdLiT2FOWSlyBaW4PR-w=
    secret: pofHbABZq7VXuObsdLdy/bHmz6hlMHZ3p8+6WKrv1ic=
--- a/pkg/machinery/config/types/v1alpha1/testdata/stability/v1.8/overrides-controlplane.yaml
+++ b/pkg/machinery/config/types/v1alpha1/testdata/stability/v1.8/overrides-controlplane.yaml
@ -44,6 +44,7 @@ machine:
            port: 7445
        hostDNS:
            enabled: true
+            forwardKubeDNSToHost: true
 cluster:
    id: 0raF93qnkMvF-FZNuvyGozXNdLiT2FOWSlyBaW4PR-w=
    secret: pofHbABZq7VXuObsdLdy/bHmz6hlMHZ3p8+6WKrv1ic=
--- a/pkg/machinery/config/types/v1alpha1/testdata/stability/v1.8/overrides-worker.yaml
+++ b/pkg/machinery/config/types/v1alpha1/testdata/stability/v1.8/overrides-worker.yaml
@ -44,6 +44,7 @@ machine:
            port: 7445
        hostDNS:
            enabled: true
+            forwardKubeDNSToHost: true
 cluster:
    id: 0raF93qnkMvF-FZNuvyGozXNdLiT2FOWSlyBaW4PR-w=
    secret: pofHbABZq7VXuObsdLdy/bHmz6hlMHZ3p8+6WKrv1ic=