Merge feature/enhanced-dns-monitoring: Enhanced DNS monitoring and network latency metrics

This merge includes:
- Per-nameserver DNS testing for custom domains
- Success rate tracking with sliding window
- DNS error type classification for better diagnostics
- DNS consistency check across multiple lookups
- Overlay network testing for accurate CNI connectivity
- Prometheus metrics for network latency monitoring
- Updated DNS monitoring documentation and best practices

Author: mattmattox

docs/monitors.md

@@ -79,6 +79,35 @@ data:
           ioHealthCheck: {{ .Values.monitors.disk.ioHealthCheck }}
       {{- end }}
 
+      {{- if .Values.overlayTest.enabled }}
+      # CNI Connectivity Monitor - Tests overlay network connectivity
+      # Uses overlay-test pods for accurate CNI testing
+      - name: cni-connectivity
+        type: network-cni-check
+        enabled: true
+        interval: 30s
+        timeout: 15s
+        config:
+          discovery:
+            method: kubernetes
+            namespace: {{ .Release.Namespace }}
+            labelSelector: app={{ include "node-doctor.name" . }}-overlay-test
+            refreshInterval: 5m
+            overlayTestEnabled: true
+            overlayTestLabelSelector: app={{ include "node-doctor.name" . }}-overlay-test
+          connectivity:
+            pingCount: 3
+            pingTimeout: 5s
+            warningLatency: 50ms
+            criticalLatency: 200ms
+            failureThreshold: 3
+            minReachablePeers: 80
+          cniHealth:
+            enabled: true
+            configPath: /etc/cni/net.d
+            checkInterfaces: true
+      {{- end }}
+
     exporters:
       kubernetes:
         enabled: {{ .Values.exporters.kubernetes.enabled }}

helm/node-doctor/templates/configmap.yaml

@@ -0,0 +1,114 @@
+{{- if .Values.overlayTest.enabled }}
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ include "node-doctor.fullname" . }}-overlay-test
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "node-doctor.labels" . | nindent 4 }}
+    app.kubernetes.io/component: overlay-test
+spec:
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: {{ .Values.overlayTest.updateStrategy.maxUnavailable | default "25%" }}
+
+  selector:
+    matchLabels:
+      app: {{ include "node-doctor.name" . }}-overlay-test
+      app.kubernetes.io/name: {{ include "node-doctor.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+
+  template:
+    metadata:
+      labels:
+        app: {{ include "node-doctor.name" . }}-overlay-test
+        app.kubernetes.io/name: {{ include "node-doctor.name" . }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        app.kubernetes.io/component: overlay-test
+      annotations:
+        description: "Node Doctor overlay network test pod - used for CNI connectivity testing"
+    spec:
+      # NO hostNetwork - this pod uses the overlay network
+      hostNetwork: false
+
+      # Use cluster DNS (default)
+      dnsPolicy: ClusterFirst
+
+      # Low priority - these are test pods
+      priorityClassName: {{ .Values.overlayTest.priorityClassName | default "" | quote }}
+
+      serviceAccountName: {{ include "node-doctor.serviceAccountName" . }}
+
+      # Tolerate all taints to run on every node
+      tolerations:
+        - operator: Exists
+
+      nodeSelector:
+        kubernetes.io/os: linux
+
+      terminationGracePeriodSeconds: 5
+
+      containers:
+      - name: overlay-test
+        image: "{{ .Values.overlayTest.image.repository }}:{{ .Values.overlayTest.image.tag }}"
+        imagePullPolicy: {{ .Values.overlayTest.image.pullPolicy }}
+
+        # Just sleep forever - we only need the pod to exist and be pingable
+        command: ["/bin/sh"]
+        args: ["-c", "echo 'Overlay test pod ready'; while true; do sleep 3600; done"]
+
+        env:
+        - name: NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+
+        # Minimal security context
+        securityContext:
+          runAsNonRoot: true
+          runAsUser: 65534
+          runAsGroup: 65534
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
+
+        # Minimal resources
+        resources:
+          requests:
+            cpu: {{ .Values.overlayTest.resources.requests.cpu | default "1m" }}
+            memory: {{ .Values.overlayTest.resources.requests.memory | default "4Mi" }}
+          limits:
+            cpu: {{ .Values.overlayTest.resources.limits.cpu | default "10m" }}
+            memory: {{ .Values.overlayTest.resources.limits.memory | default "16Mi" }}
+
+        # Simple liveness check
+        livenessProbe:
+          exec:
+            command:
+              - /bin/sh
+              - -c
+              - "true"
+          initialDelaySeconds: 5
+          periodSeconds: 60
+          timeoutSeconds: 1
+          failureThreshold: 3
+
+        # Readiness - always ready once running
+        readinessProbe:
+          exec:
+            command:
+              - /bin/sh
+              - -c
+              - "true"
+          initialDelaySeconds: 2
+          periodSeconds: 10
+          timeoutSeconds: 1
+          failureThreshold: 1
+{{- end }}

helm/node-doctor/templates/overlay-test-daemonset.yaml

@@ -314,3 +314,31 @@ features:
   enableMetrics: true
   enableProfiling: false
   enableTracing: false
+
+# Overlay Test Configuration
+# Deploys lightweight test pods WITHOUT hostNetwork for accurate CNI/overlay testing
+overlayTest:
+  # Enable overlay test pods - required for accurate CNI connectivity testing
+  enabled: true
+
+  # Image for overlay test pods (minimal image, just needs to exist and be pingable)
+  image:
+    repository: busybox
+    tag: "1.36"
+    pullPolicy: IfNotPresent
+
+  # Resource limits for overlay test pods (minimal - just needs to sleep)
+  resources:
+    requests:
+      cpu: 1m
+      memory: 4Mi
+    limits:
+      cpu: 10m
+      memory: 16Mi
+
+  # Update strategy
+  updateStrategy:
+    maxUnavailable: "25%"
+
+  # Priority class (empty = no priority class)
+  priorityClassName: ""

helm/node-doctor/values.yaml

@@ -191,6 +191,9 @@ func (e *PrometheusExporter) ExportStatus(ctx context.Context, status *types.Sta
 	uptime := time.Since(e.startTime).Seconds()
 	e.metrics.UptimeSeconds.WithLabelValues(e.nodeName).Set(uptime)
 
+	// Extract and record latency metrics from status metadata
+	e.recordLatencyMetrics(status)
+
 	// Record successful export
 	e.metrics.ExportOperationsTotal.WithLabelValues(
 		e.nodeName, "prometheus", "status", "success").Inc()
@@ -200,6 +203,74 @@ func (e *PrometheusExporter) ExportStatus(ctx context.Context, status *types.Sta
 	return nil
 }
 
+// recordLatencyMetrics extracts latency metrics from status metadata and records them
+func (e *PrometheusExporter) recordLatencyMetrics(status *types.Status) {
+	latencyMetrics := status.GetLatencyMetrics()
+	if latencyMetrics == nil {
+		return
+	}
+
+	// Record gateway latency metrics
+	if latencyMetrics.Gateway != nil {
+		gw := latencyMetrics.Gateway
+		latencySeconds := gw.LatencyMs / 1000.0
+
+		e.metrics.GatewayLatencySeconds.WithLabelValues(
+			e.nodeName, gw.GatewayIP).Set(latencySeconds)
+
+		e.metrics.GatewayLatencyHistogram.WithLabelValues(
+			e.nodeName, gw.GatewayIP).Observe(latencySeconds)
+	}
+
+	// Record peer latency metrics
+	if len(latencyMetrics.Peers) > 0 {
+		reachableCount := 0
+		for _, peer := range latencyMetrics.Peers {
+			latencySeconds := peer.LatencyMs / 1000.0
+			avgLatencySeconds := peer.AvgLatencyMs / 1000.0
+
+			e.metrics.PeerLatencySeconds.WithLabelValues(
+				e.nodeName, peer.PeerNode, peer.PeerIP).Set(latencySeconds)
+
+			e.metrics.PeerLatencyAvgSeconds.WithLabelValues(
+				e.nodeName, peer.PeerNode, peer.PeerIP).Set(avgLatencySeconds)
+
+			reachable := 0.0
+			if peer.Reachable {
+				reachable = 1.0
+				reachableCount++
+			}
+			e.metrics.PeerReachable.WithLabelValues(
+				e.nodeName, peer.PeerNode, peer.PeerIP).Set(reachable)
+
+			e.metrics.PeerLatencyHistogram.WithLabelValues(
+				e.nodeName, peer.PeerNode).Observe(latencySeconds)
+		}
+
+		e.metrics.PeersTotal.WithLabelValues(e.nodeName).Set(float64(len(latencyMetrics.Peers)))
+		e.metrics.PeersReachableTotal.WithLabelValues(e.nodeName).Set(float64(reachableCount))
+	}
+
+	// Record DNS latency metrics
+	for _, dns := range latencyMetrics.DNS {
+		latencySeconds := dns.LatencyMs / 1000.0
+
+		e.metrics.DNSLatencySeconds.WithLabelValues(
+			e.nodeName, dns.DNSServer, dns.Domain, dns.RecordType).Set(latencySeconds)
+
+		e.metrics.DNSLatencyHistogram.WithLabelValues(
+			e.nodeName, dns.DomainType).Observe(latencySeconds)
+	}
+
+	// Record API server latency metrics
+	if latencyMetrics.APIServer != nil {
+		latencySeconds := latencyMetrics.APIServer.LatencyMs / 1000.0
+
+		e.metrics.APIServerLatencySeconds.WithLabelValues(e.nodeName).Set(latencySeconds)
+		e.metrics.APIServerLatencyHistogram.WithLabelValues(e.nodeName).Observe(latencySeconds)
+	}
+}
+
 // ExportProblem implements types.Exporter interface for problem exports
 func (e *PrometheusExporter) ExportProblem(ctx context.Context, problem *types.Problem) error {
 	if problem == nil {