feat(networkinfo): AllowedDNSDomains from VPC DNS zones

Wire NetworkInfo reconciler to DNSRecordService for per-namespace allowed
DNS domains derived from VPC DNS zone configuration. Register DNS record
service initialization in cmd when VPC networking is enabled.

Author: wenyingd

cmd/main.go

@@ -58,6 +58,7 @@ import (
 	"github.com/vmware-tanzu/nsx-operator/pkg/metrics"
 	"github.com/vmware-tanzu/nsx-operator/pkg/nsx"
 	"github.com/vmware-tanzu/nsx-operator/pkg/nsx/services/common"
+	"github.com/vmware-tanzu/nsx-operator/pkg/nsx/services/dns"
 	ipaddressallocationservice "github.com/vmware-tanzu/nsx-operator/pkg/nsx/services/ipaddressallocation"
 	"github.com/vmware-tanzu/nsx-operator/pkg/nsx/services/vpc"
 	"github.com/vmware-tanzu/nsx-operator/pkg/nsx/util"
@@ -192,6 +193,11 @@ func startServiceController(mgr manager.Manager, nsxClient *nsx.Client) {
 			log.Error(err, "Failed to initialize staticroute commonService", "controller", "StaticRoute")
 			os.Exit(1)
 		}
+		dnsRecordService, err := dns.InitializeDNSRecordService(commonService, vpcService)
+		if err != nil {
+			log.Error(err, "Failed to initialize DNS record service", "controller", "DNS")
+			os.Exit(1)
+		}
 		ipblocksInfoService := ipblocksinfo.InitializeIPBlocksInfoService(commonService, subnetService)
 
 		subnetBindingService, err := subnetbindingservice.InitializeService(commonService)
@@ -230,7 +236,7 @@ func startServiceController(mgr manager.Manager, nsxClient *nsx.Client) {
 		subnetSetReconcile = subnetset.NewSubnetSetReconciler(mgr, subnetService, subnetPortService, vpcService, subnetBindingService)
 		reconcilerList = append(
 			reconcilerList,
-			networkinfocontroller.NewNetworkInfoReconciler(mgr, vpcService, ipblocksInfoService),
+			networkinfocontroller.NewNetworkInfoReconciler(mgr, vpcService, ipblocksInfoService, dnsRecordService),
 			namespacecontroller.NewNamespaceReconciler(mgr, cf, vpcService, subnetService, subnetPortService),
 			subnet.NewSubnetReconciler(mgr, subnetService, subnetPortService, vpcService, subnetBindingService),
 			subnetSetReconcile,

pkg/controllers/networkinfo/networkinfo_controller.go

@@ -6,6 +6,8 @@ package networkinfo
 import (
 	"context"
 	"fmt"
+	"maps"
+	"slices"
 	"time"
 
 	stderrors "github.com/vmware/vsphere-automation-sdk-go/lib/vapi/std/errors"
@@ -70,6 +72,7 @@ var (
 	nsMsgVPCAutoSNATDisabled      = newNsUnreadyMessage("SNAT is not enabled in System VPC", NSReasonVPCSnatNotReady)
 	nsMsgVPCDefaultSNATIPGetError = newNsUnreadyMessage("Default SNAT IP is not allocated in VPC: %v", NSReasonVPCSnatNotReady)
 	nsMsgVPCIsReady               = newNsUnreadyMessage("", "")
+	nsMsgVPCDNSZonesSyncError     = newNsUnreadyMessage("Failed to sync permitted DNS zones from NSX: %v", NSReasonVPCNotReady)
 )
 
 type nsUnreadyMessage struct {
@@ -97,12 +100,18 @@ func (m *nsUnreadyMessage) getNSNetworkCondition(options ...interface{}) *corev1
 	return cond
 }
 
+// dnsZoneSyncer is the minimal DNS interface needed by NetworkInfoReconciler for VPC DNS zone lookups.
+type dnsZoneSyncer interface {
+	SyncDNSZonesByVpcNetworkConfig(vpcConfig *v1alpha1.VPCNetworkConfiguration) (map[string]string, error)
+}
+
 // NetworkInfoReconciler NetworkInfoReconcile reconciles a NetworkInfo object
 // Actually it is more like a shell, which is used to manage nsx VPC
 type NetworkInfoReconciler struct {
 	Client              client.Client
 	Scheme              *apimachineryruntime.Scheme
 	Service             *vpc.VPCService
+	DNSRecordService    dnsZoneSyncer
 	IPBlocksInfoService *ipblocksinfo.IPBlocksInfoService
 	Recorder            record.EventRecorder
 	queue               workqueue.TypedRateLimitingInterface[reconcile.Request]
@@ -430,9 +439,29 @@ func (r *NetworkInfoReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 		NetworkStack:            networkStack,
 	}
 
+	var allowedDNSDomains []string
+	if r.DNSRecordService != nil && len(nc.Spec.DNSZones) > 0 {
+		zoneMap, err := r.DNSRecordService.SyncDNSZonesByVpcNetworkConfig(nc)
+		if err != nil {
+			r.StatusUpdater.UpdateFail(ctx, networkInfoCR, err, "Failed to sync DNS zones for VPC network configuration", setNetworkInfoVPCStatusWithError, state)
+			setNSNetworkReadyCondition(ctx, r.Client, req.Namespace, nsMsgVPCDNSZonesSyncError.getNSNetworkCondition(err))
+			return common.ResultRequeueAfter10sec, err
+		}
+		// Use a Set to ensure each domain name in the allowed list is unique.
+		domainNamesSet := sets.New[string]()
+		for _, domainName := range slices.Sorted(maps.Values(zoneMap)) {
+			if domainName == "" {
+				continue
+			}
+			domainNamesSet.Insert(domainName)
+		}
+		allowedDNSDomains = domainNamesSet.UnsortedList()
+		slices.Sort(allowedDNSDomains)
+	}
+
 	// AKO needs to know the AVI subnet path created by NSX
 	setVPCNetworkConfigurationStatusWithLBS(ctx, r.Client, ncName, state.Name, aviSubnetPath, nsxLBSPath, *createdVpc.Path)
-	r.StatusUpdater.UpdateSuccess(ctx, networkInfoCR, setNetworkInfoVPCStatus, state)
+	r.StatusUpdater.UpdateSuccess(ctx, networkInfoCR, setNetworkInfoVPCStatus, state, allowedDNSDomains)
 
 	if retryWithSystemVPC {
 		setNSNetworkReadyCondition(ctx, r.Client, req.Namespace, systemNSCondition)
@@ -805,11 +834,12 @@ func (r *NetworkInfoReconciler) StartController(mgr ctrl.Manager, _ webhook.Serv
 	return nil
 }
 
-func NewNetworkInfoReconciler(mgr ctrl.Manager, vpcService *vpc.VPCService, ipblocksInfoService *ipblocksinfo.IPBlocksInfoService) *NetworkInfoReconciler {
+func NewNetworkInfoReconciler(mgr ctrl.Manager, vpcService *vpc.VPCService, ipblocksInfoService *ipblocksinfo.IPBlocksInfoService, dnsRecordService dnsZoneSyncer) *NetworkInfoReconciler {
 	networkInfoReconciler := &NetworkInfoReconciler{
-		Client:   mgr.GetClient(),
-		Scheme:   mgr.GetScheme(),
-		Recorder: mgr.GetEventRecorderFor("networkinfo-controller"),
+		Client:           mgr.GetClient(),
+		Scheme:           mgr.GetScheme(),
+		DNSRecordService: dnsRecordService,
+		Recorder:         mgr.GetEventRecorderFor("networkinfo-controller"),
 	}
 	networkInfoReconciler.Service = vpcService
 	networkInfoReconciler.IPBlocksInfoService = ipblocksInfoService