k8s-operator: add IPv6 support for DNS records (#16691)

This change adds full IPv6 support to the Kubernetes operator's DNS functionality, enabling dual-stack and IPv6-only cluster support. Fixes #16633 Signed-off-by: Raj Singh <raj@tailscale.com>
2025-10-30 00:29:48 +00:00 · 2025-09-25 11:26:43 -04:00
parent e0a77cf41a
commit 0b27871860
9 changed files with 408 additions and 94 deletions
--- a/cmd/k8s-nameserver/main_test.go
+++ b/cmd/k8s-nameserver/main_test.go
@@ -19,6 +19,7 @@ func TestNameserver(t *testing.T) {
 	tests := []struct {
 		name     string
 		ip4      map[dnsname.FQDN][]net.IP
+		ip6      map[dnsname.FQDN][]net.IP
 		query    *dns.Msg
 		wantResp *dns.Msg
 	}{
@@ -112,6 +113,49 @@ func TestNameserver(t *testing.T) {
 					Authoritative: true,
 				}},
 		},
+		{
+			name: "AAAA record query with IPv6 record",
+			ip6:  map[dnsname.FQDN][]net.IP{dnsname.FQDN("foo.bar.com."): {net.ParseIP("2001:db8::1")}},
+			query: &dns.Msg{
+				Question: []dns.Question{{Name: "foo.bar.com", Qtype: dns.TypeAAAA}},
+				MsgHdr:   dns.MsgHdr{Id: 1, RecursionDesired: true},
+			},
+			wantResp: &dns.Msg{
+				Answer: []dns.RR{&dns.AAAA{Hdr: dns.RR_Header{
+					Name: "foo.bar.com", Rrtype: dns.TypeAAAA, Class: dns.ClassINET, Ttl: 0},
+					AAAA: net.ParseIP("2001:db8::1")}},
+				Question: []dns.Question{{Name: "foo.bar.com", Qtype: dns.TypeAAAA}},
+				MsgHdr: dns.MsgHdr{
+					Id:                 1,
+					Rcode:              dns.RcodeSuccess,
+					RecursionAvailable: false,
+					RecursionDesired:   true,
+					Response:           true,
+					Opcode:             dns.OpcodeQuery,
+					Authoritative:      true,
+				}},
+		},
+		{
+			name: "Dual-stack: both A and AAAA records exist",
+			ip4:  map[dnsname.FQDN][]net.IP{dnsname.FQDN("dual.bar.com."): {{10, 0, 0, 1}}},
+			ip6:  map[dnsname.FQDN][]net.IP{dnsname.FQDN("dual.bar.com."): {net.ParseIP("2001:db8::1")}},
+			query: &dns.Msg{
+				Question: []dns.Question{{Name: "dual.bar.com", Qtype: dns.TypeAAAA}},
+				MsgHdr:   dns.MsgHdr{Id: 1},
+			},
+			wantResp: &dns.Msg{
+				Answer: []dns.RR{&dns.AAAA{Hdr: dns.RR_Header{
+					Name: "dual.bar.com", Rrtype: dns.TypeAAAA, Class: dns.ClassINET, Ttl: 0},
+					AAAA: net.ParseIP("2001:db8::1")}},
+				Question: []dns.Question{{Name: "dual.bar.com", Qtype: dns.TypeAAAA}},
+				MsgHdr: dns.MsgHdr{
+					Id:            1,
+					Rcode:         dns.RcodeSuccess,
+					Response:      true,
+					Opcode:        dns.OpcodeQuery,
+					Authoritative: true,
+				}},
+		},
 		{
 			name: "CNAME record query",
 			ip4:  map[dnsname.FQDN][]net.IP{dnsname.FQDN("foo.bar.com."): {{1, 2, 3, 4}}},
@@ -133,6 +177,7 @@ func TestNameserver(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			ns := &nameserver{
 				ip4: tt.ip4,
+				ip6: tt.ip6,
 			}
 			handler := ns.handleFunc()
 			fakeRespW := &fakeResponseWriter{}
@@ -149,43 +194,63 @@ func TestResetRecords(t *testing.T) {
 		name     string
 		config   []byte
 		hasIp4   map[dnsname.FQDN][]net.IP
+		hasIp6   map[dnsname.FQDN][]net.IP
 		wantsIp4 map[dnsname.FQDN][]net.IP
+		wantsIp6 map[dnsname.FQDN][]net.IP
 		wantsErr bool
 	}{
 		{
 			name:     "previously empty nameserver.ip4 gets set",
 			config:   []byte(`{"version": "v1alpha1", "ip4": {"foo.bar.com": ["1.2.3.4"]}}`),
 			wantsIp4: map[dnsname.FQDN][]net.IP{"foo.bar.com.": {{1, 2, 3, 4}}},
+			wantsIp6: make(map[dnsname.FQDN][]net.IP),
 		},
 		{
 			name:     "nameserver.ip4 gets reset",
 			hasIp4:   map[dnsname.FQDN][]net.IP{"baz.bar.com.": {{1, 1, 3, 3}}},
 			config:   []byte(`{"version": "v1alpha1", "ip4": {"foo.bar.com": ["1.2.3.4"]}}`),
 			wantsIp4: map[dnsname.FQDN][]net.IP{"foo.bar.com.": {{1, 2, 3, 4}}},
+			wantsIp6: make(map[dnsname.FQDN][]net.IP),
 		},
 		{
 			name:     "configuration with incompatible version",
 			hasIp4:   map[dnsname.FQDN][]net.IP{"baz.bar.com.": {{1, 1, 3, 3}}},
 			config:   []byte(`{"version": "v1beta1", "ip4": {"foo.bar.com": ["1.2.3.4"]}}`),
 			wantsIp4: map[dnsname.FQDN][]net.IP{"baz.bar.com.": {{1, 1, 3, 3}}},
+			wantsIp6: nil,
 			wantsErr: true,
 		},
 		{
 			name:     "nameserver.ip4 gets reset to empty config when no configuration is provided",
 			hasIp4:   map[dnsname.FQDN][]net.IP{"baz.bar.com.": {{1, 1, 3, 3}}},
 			wantsIp4: make(map[dnsname.FQDN][]net.IP),
+			wantsIp6: make(map[dnsname.FQDN][]net.IP),
 		},
 		{
 			name:     "nameserver.ip4 gets reset to empty config when the provided configuration is empty",
 			hasIp4:   map[dnsname.FQDN][]net.IP{"baz.bar.com.": {{1, 1, 3, 3}}},
 			config:   []byte(`{"version": "v1alpha1", "ip4": {}}`),
 			wantsIp4: make(map[dnsname.FQDN][]net.IP),
+			wantsIp6: make(map[dnsname.FQDN][]net.IP),
+		},
+		{
+			name:     "nameserver.ip6 gets set",
+			config:   []byte(`{"version": "v1alpha1", "ip6": {"foo.bar.com": ["2001:db8::1"]}}`),
+			wantsIp4: make(map[dnsname.FQDN][]net.IP),
+			wantsIp6: map[dnsname.FQDN][]net.IP{"foo.bar.com.": {net.ParseIP("2001:db8::1")}},
+		},
+		{
+			name:     "dual-stack configuration",
+			config:   []byte(`{"version": "v1alpha1", "ip4": {"dual.bar.com": ["10.0.0.1"]}, "ip6": {"dual.bar.com": ["2001:db8::1"]}}`),
+			wantsIp4: map[dnsname.FQDN][]net.IP{"dual.bar.com.": {{10, 0, 0, 1}}},
+			wantsIp6: map[dnsname.FQDN][]net.IP{"dual.bar.com.": {net.ParseIP("2001:db8::1")}},
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			ns := &nameserver{
 				ip4:          tt.hasIp4,
+				ip6:          tt.hasIp6,
 				configReader: func() ([]byte, error) { return tt.config, nil },
 			}
 			if err := ns.resetRecords(); err == nil == tt.wantsErr {
@@ -194,6 +259,9 @@ func TestResetRecords(t *testing.T) {
 			if diff := cmp.Diff(ns.ip4, tt.wantsIp4); diff != "" {
 				t.Fatalf("unexpected nameserver.ip4 contents (-got +want): \n%s", diff)
 			}
+			if diff := cmp.Diff(ns.ip6, tt.wantsIp6); diff != "" {
+				t.Fatalf("unexpected nameserver.ip6 contents (-got +want): \n%s", diff)
+			}
 		})
 	}
 }