[release-v1.38] Auto pick #3866: Set explicit DNS nameservers for calico/node when needed (#3868)

* Set explicit DNS nameservers for calico/node when needed

* Make gen-versions

* Update copyright

* Fix typo

* Fix log

* gosimple

* fix

* gen-versions

Author: caseydavenport

cmd/main.go

@@ -389,6 +389,12 @@ If a value other than 'all' is specified, the first CRD with a prefix of the spe
 		log.Error(err, fmt.Sprintf("Couldn't find the cluster domain from the resolv.conf, defaulting to %s", clusterDomain))
 	}
 
+	nameservers, err := dns.Nameservers(dns.DefaultResolveConfPath)
+	if err != nil {
+		log.Error(err, "Couldn't find the nameservers from the resolv.conf")
+	}
+	log.Infof("Found nameservers: %v", nameservers)
+
 	kubernetesVersion, err := common.GetKubernetesVersion(clientset)
 	if err != nil {
 		log.Error(err, "Unable to resolve Kubernetes version, defaulting to v1.18")
@@ -436,6 +442,7 @@ If a value other than 'all' is specified, the first CRD with a prefix of the spe
 		DetectedProvider:    provider,
 		EnterpriseCRDExists: enterpriseCRDExists,
 		ClusterDomain:       clusterDomain,
+		Nameservers:         nameservers,
 		KubernetesVersion:   kubernetesVersion,
 		ManageCRDs:          manageCRDs,
 		ShutdownContext:     ctx,

pkg/controller/installation/core_controller.go

@@ -185,6 +185,7 @@ func newReconciler(mgr manager.Manager, opts options.AddOptions) (*ReconcileInst
 		namespaceMigration:   nm,
 		enterpriseCRDsExist:  opts.EnterpriseCRDExists,
 		clusterDomain:        opts.ClusterDomain,
+		nameservers:          opts.Nameservers,
 		manageCRDs:           opts.ManageCRDs,
 		tierWatchReady:       &utils.ReadyFlag{},
 		newComponentHandler:  utils.NewComponentHandler,
@@ -368,6 +369,7 @@ type ReconcileInstallation struct {
 	enterpriseCRDsExist           bool
 	migrationChecked              bool
 	clusterDomain                 string
+	nameservers                   []string
 	manageCRDs                    bool
 	tierWatchReady                *utils.ReadyFlag
 	// newComponentHandler returns a new component handler. Useful stub for unit testing.
@@ -1410,6 +1412,7 @@ func (r *ReconcileInstallation) Reconcile(ctx context.Context, request reconcile
 		BirdTemplates:                 birdTemplates,
 		TLS:                           typhaNodeTLS,
 		ClusterDomain:                 r.clusterDomain,
+		Nameservers:                   r.nameservers,
 		NodeReporterMetricsPort:       nodeReporterMetricsPort,
 		BGPLayouts:                    bgpLayout,
 		NodeAppArmorProfile:           nodeAppArmorProfile,

pkg/controller/options/options.go

@@ -34,6 +34,12 @@ type AddOptions struct {
 	ManageCRDs          bool
 	ShutdownContext     context.Context
 
+	// Nameservers contains the nameservers configured for the operator. Most pods do not need explicit
+	// nameservers specified, as they will use the default nameservers configured in the cluster. However, any pods
+	// that must function prior to cluster DNS being available (e.g., the operator itself and calico/node)
+	// may need to have the nameservers explicitly set if configured to access the Kubernetes API via a domain name.
+	Nameservers []string
+
 	// Kubernetes clientset used by controllers to create watchers and informers.
 	K8sClientset *kubernetes.Clientset
 

pkg/dns/dns.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2020-2024 Tigera, Inc. All rights reserved.
+// Copyright (c) 2020-2025 Tigera, Inc. All rights reserved.
 
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -17,6 +17,7 @@ package dns
 import (
 	"bufio"
 	"fmt"
+	"net"
 	"os"
 	"regexp"
 )
@@ -59,6 +60,38 @@ func GetClusterDomain(resolvConfPath string) (string, error) {
 	return clusterDomain, nil
 }
 
+// IsDomainName checks if the given name is a domain name and returns true if it is.
+func IsDomainName(name string) bool {
+	// Attempt to parse it as an IP.
+	return net.ParseIP(name) == nil
+}
+
+// Nameservers returns the list of nameservers from the resolv.conf file.
+func Nameservers(resolvConfPath string) ([]string, error) {
+	var nameservers []string
+	file, err := os.Open(resolvConfPath)
+	if err != nil {
+		return nil, err
+	}
+	defer file.Close()
+
+	reg := regexp.MustCompile(`^nameserver\s+([^\s]+)`)
+
+	scanner := bufio.NewScanner(file)
+	for scanner.Scan() {
+		match := reg.FindStringSubmatch(scanner.Text())
+		if len(match) > 0 {
+			nameservers = append(nameservers, match[1])
+		}
+	}
+
+	if err := scanner.Err(); err != nil {
+		return nil, err
+	}
+
+	return nameservers, nil
+}
+
 // GetServiceDNSNames returns a list of a service's DNS names.
 // We return:
 // - <svc_name>

pkg/render/node.go

@@ -35,6 +35,7 @@ import (
 	"github.com/tigera/operator/pkg/components"
 	"github.com/tigera/operator/pkg/controller/k8sapi"
 	"github.com/tigera/operator/pkg/controller/migration"
+	"github.com/tigera/operator/pkg/dns"
 	"github.com/tigera/operator/pkg/ptr"
 	rcomp "github.com/tigera/operator/pkg/render/common/components"
 	"github.com/tigera/operator/pkg/render/common/configmap"
@@ -98,6 +99,7 @@ type NodeConfiguration struct {
 	IPPools         []operatorv1.IPPool
 	TLS             *TyphaNodeTLS
 	ClusterDomain   string
+	Nameservers     []string
 
 	// Optional fields.
 	LogCollector            *operatorv1.LogCollector
@@ -987,6 +989,14 @@ func (c *nodeComponent) nodeDaemonset(cniCfgMap *corev1.ConfigMap) *appsv1.Daemo
 		},
 	}
 
+	if len(c.cfg.Nameservers) > 0 && dns.IsDomainName(c.cfg.K8sServiceEp.Host) {
+		// If the configured k8s service endpoint is a domain name rather than an IP address, calico/node
+		// will need explicit nameservers to resolve it.
+		ds.Spec.Template.Spec.DNSConfig = &corev1.PodDNSConfig{
+			Nameservers: c.cfg.Nameservers,
+		}
+	}
+
 	if c.cfg.Installation.CNI.Type == operatorv1.PluginCalico {
 		ds.Spec.Template.Spec.InitContainers = append(ds.Spec.Template.Spec.InitContainers, c.cniContainer())
 	}