feat(networkinfo): Convert allowed DNS zones from VpcNetworkConfiguration to DNS domain names in NetworkInfo

[wenyingd]

Wire NetworkInfo reconciler to DNSRecordService for per-namespace allowed DNS domains derived from VPC DNS zone configuration. Register DNS recordservice initialization in cmd when VPC networking is enabled.

Test Done:
0. Prepare the NSX DNS zone with path orgs/default/projects/project-quality/dns-services/default/zones/zone-1 and domainName example.com

1. create vSphere Namespace with DNS zone,

dcli> com vmware vcenter namespaces instances createv2 --namespace test1 --supervisor e2645357-47a5-42b9-b356-fcaf186a4bb0 --network-spec-network-provider NSX_VPC --network-spec-vpc-network-dns-zones "/orgs/default/projects/project-quality/dns-services/default/zones/zone-1"
dcli> com vmware vcenter namespaces instances getv2 --namespace test1
content_libraries:
creator: 
edges: 
description: 
...
messages:
network_spec:
   vpc_network:
      dns_zones:
         - /orgs/default/projects/project-quality/dns-services/default/zones/zone-1
      vpc_config:
         private_cidrs:
            - address: 172.26.0.0
              prefix: 16

      shared_subnets: 
      vpc: /orgs/default/projects/project-quality/vpcs/test1_ia8ow
      default_subnet_size: 32
      auto_created: True
   network_provider: NSX_VPC
supervisor: e2645357-47a5-42b9-b356-fcaf186a4bb0

2. Check VpcNetworkConfiguration has configured the allowed DNS zones

root@421833fb973aade676c9a60ec986fda1 [ ~ ]# kubectl get vpcnetworkconfigurations -A
NAME                                                    VPCPATH
default                                                 
svc-cci-ns-741cs-202986d9-2a9b-4ac5-bb44-3144316cafcf   /orgs/default/projects/project-quality/vpcs/vmware-system-supervisor-services-vpc_ksvta
svc-istio-nj8d3-2a45e555-d689-4455-a9b4-e9af9c056450    /orgs/default/projects/project-quality/vpcs/vmware-system-supervisor-services-vpc_ksvta
svc-tkg-dbo5b-dacd2179-77ea-43e6-93c9-df9223b24657      /orgs/default/projects/project-quality/vpcs/vmware-system-supervisor-services-vpc_ksvta
svc-velero-8qp88-68a66181-34de-4271-aeb7-630e18a174bf   /orgs/default/projects/project-quality/vpcs/vmware-system-supervisor-services-vpc_ksvta
system                                                  /orgs/default/projects/project-quality/vpcs/kube-system_324cv
test-istio-30089157-6f27-40ec-8c97-4e33a35aec5c         /orgs/default/projects/project-quality/vpcs/test-istio_dhyl7
test1-37ca967f-270d-4252-957a-9d8222a6e59b              /orgs/default/projects/project-quality/vpcs/test1_ia8ow
vmware-system-supervisor-services                       /orgs/default/projects/project-quality/vpcs/vmware-system-supervisor-services-vpc_ksvta
root@421833fb973aade676c9a60ec986fda1 [ ~ ]# kubectl get vpcnetworkconfigurations test1-37ca967f-270d-4252-957a-9d8222a6e59b -oyaml
apiVersion: crd.nsx.vmware.com/v1alpha1
kind: VPCNetworkConfiguration
metadata:
  creationTimestamp: "2026-05-12T07:48:30Z"
  generation: 1
  name: test1-37ca967f-270d-4252-957a-9d8222a6e59b
  resourceVersion: "2920458"
  uid: 19f665f5-4c1b-4e11-b4a3-debc026f914e
spec:
  defaultIPv6PrefixLength: 64
  defaultSubnetSize: 32
  dnsZones:
  - /orgs/default/projects/project-quality/dns-services/default/zones/zone-1
  nsxProject: /orgs/default/projects/project-quality
  privateIPs:
  - 172.26.0.0/16
  vpcConnectivityProfile: /orgs/default/projects/project-quality/vpc-connectivity-profiles/default--724e8c5b-025c-444b-b3af-51e587e27989
status:
  vpcs:
  - name: test1_ia8ow
    nsxLoadBalancerPath: /orgs/default/projects/project-quality/vpcs/test1_ia8ow/vpc-lbs/default
    vpcPath: /orgs/default/projects/project-quality/vpcs/test1_ia8ow

3. Check NetworkInfo has configured with the allowed DNS domain name

root@421833fb973aade676c9a60ec986fda1 [ ~ ]# kubectl get networkinfos -n test1 test1 -oyaml

allowedDNSDomains:
- example.com
apiVersion: crd.nsx.vmware.com/v1alpha1
kind: NetworkInfo
metadata:
  creationTimestamp: "2026-05-12T07:48:30Z"
  generation: 2
  name: test1
  namespace: test1
  resourceVersion: "2920462"
  uid: 998c0333-b64c-460d-878a-7aba62925b35
vpcs:
- defaultSNATIP: 192.168.0.8
  loadBalancerIPAddresses: 100.64.0.7
  name: test1_ia8ow
  networkStack: FullStackVPC
  privateIPs:
  - 172.26.0.0/16

4. Update an existing vSphere Namespace by appending the desired DNS zones,

dcli> com vmware vcenter namespaces instances getv2 --namespace test-istio
content_libraries:
creator:
   subject: 
   domain: 
edges: 
description: 
….
messages:
network_spec:
   vpc_network:
      dns_zones: 
      vpc_config:
         private_cidrs:
            - address: 172.26.0.0
              prefix: 16

      shared_subnets: 
      vpc: /orgs/default/projects/project-quality/vpcs/test-istio_dhyl7
      default_subnet_size: 32
      auto_created: True
   network_provider: NSX_VPC
supervisor: e2645357-47a5-42b9-b356-fcaf186a4bb0

dcli> com vmware vcenter namespaces instances update --namespace test-istio --network-spec-network-provider NSX_VPC --network-spec-vpc-config-dns-zones "/orgs/default/projects/project-quality/dns-services/default/zones/zone-1"

dcli> com vmware vcenter namespaces instances getv2 --namespace test-istio
content_libraries:
creator:
   subject: 
   domain: 
edges: 
description: 
…
network_spec:
   vpc_network:
      dns_zones:
         - /orgs/default/projects/project-quality/dns-services/default/zones/zone-1
      vpc_config:
         private_cidrs:
            - address: 172.26.0.0
              prefix: 16

      shared_subnets: 
      vpc: /orgs/default/projects/project-quality/vpcs/test-istio_dhyl7
      default_subnet_size: 32
      auto_created: True
   network_provider: NSX_VPC
supervisor: e2645357-47a5-42b9-b356-fcaf186a4bb0

5. Check the VPCNetworkConfiguration is updated with the DNS zones

kubectl get vpcnetworkconfigurations test-istio-30089157-6f27-40ec-8c97-4e33a35aec5c -oyaml
apiVersion: crd.nsx.vmware.com/v1alpha1
kind: VPCNetworkConfiguration
metadata:
  creationTimestamp: "2026-05-09T09:34:53Z"
  generation: 2
  name: test-istio-30089157-6f27-40ec-8c97-4e33a35aec5c
  resourceVersion: "4770201"
  uid: 2262c5ba-0246-4151-ab10-2301eb784bc2
spec:
  defaultIPv6PrefixLength: 64
  defaultSubnetSize: 32
  dnsZones:
  - /orgs/default/projects/project-quality/dns-services/default/zones/zone-1
  nsxProject: /orgs/default/projects/project-quality
  privateIPs:
  - 172.26.0.0/16
  vpcConnectivityProfile: /orgs/default/projects/project-quality/vpc-connectivity-profiles/default--724e8c5b-025c-444b-b3af-51e587e27989
status:
  vpcs:
  - name: test-istio_dhyl7
    nsxLoadBalancerPath: /orgs/default/projects/project-quality/vpcs/test-istio_dhyl7/vpc-lbs/default
    vpcPath: /orgs/default/projects/project-quality/vpcs/test-istio_dhyl7

7. Check the NetworkInfo CR is updated

# kubectl get networkinfo -n test-istio test-istio -oyaml
allowedDNSDomains:
- example.com
apiVersion: crd.nsx.vmware.com/v1alpha1
kind: NetworkInfo
metadata:
  creationTimestamp: "2026-05-09T09:34:53Z"
  generation: 3
  name: test-istio
  namespace: test-istio
  resourceVersion: "4770209"
  uid: 109b03f2-aed2-4df1-aaaf-f8490884435d
vpcs:
- defaultSNATIP: 192.168.0.6
  loadBalancerIPAddresses: 100.64.0.5
  name: test-istio_dhyl7
  networkStack: FullStackVPC
  privateIPs:
  - 172.26.0.0/16

[codecov-commenter]

Codecov Report

❌ Patch coverage is 87.53388% with 138 lines in your changes missing coverage. Please review.
✅ Project coverage is 77.54%. Comparing base (6ae0434) to head (3d1282e).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/nsx/services/dns/recordservice.go	79.62%	34 Missing and 20 partials ⚠️
.../controllers/networkinfo/networkinfo_controller.go	35.00%	12 Missing and 1 partial ⚠️
pkg/nsx/services/dns/store.go	94.19%	7 Missing and 6 partials ⚠️
pkg/nsx/services/dns/compare.go	84.00%	9 Missing and 3 partials ⚠️
pkg/nsx/services/dns/zones.go	88.77%	6 Missing and 5 partials ⚠️
cmd/main.go	0.00%	5 Missing ⚠️
pkg/controllers/networkinfo/networkinfo_utils.go	75.00%	1 Missing and 3 partials ⚠️
pkg/nsx/services/common/wrap.go	73.33%	2 Missing and 2 partials ⚠️
pkg/nsx/services/dns/builder.go	94.73%	2 Missing and 2 partials ⚠️
pkg/nsx/services/dns/cleanup.go	73.33%	2 Missing and 2 partials ⚠️
... and 5 more

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1425      +/-   ##
==========================================
+ Coverage   77.03%   77.54%   +0.51%     
==========================================
  Files         155      168      +13     
  Lines       22043    23132    +1089     
==========================================
+ Hits        16980    17937     +957     
- Misses       3858     3942      +84     
- Partials     1205     1253      +48     

Flag	Coverage Δ
unit-tests	77.54% <87.53%> (+0.51%)	⬆️

Files with missing lines	Coverage Δ
pkg/nsx/client.go	93.42% <100.00%> (+0.11%)	⬆️
pkg/nsx/services/common/policy_tree.go	86.48% <100.00%> (+0.24%)	⬆️
pkg/nsx/services/common/types.go	100.00% <ø> (ø)
pkg/nsx/services/dns/errors.go	100.00% <100.00%> (ø)
pkg/nsx/services/dns/types.go	100.00% <100.00%> (ø)
pkg/third_party/externaldns/endpoint/endpoint.go	100.00% <100.00%> (ø)
pkg/util/utils.go	87.12% <100.00%> (+0.12%)	⬆️
pkg/clean/clean.go	86.88% <71.42%> (-0.95%)	⬇️
pkg/third_party/externaldns/endpoint/utils.go	90.47% <90.47%> (ø)
pkg/third_party/externaldns/provider/zonefinder.go	90.90% <90.90%> (ø)
... and 12 more

... and 2 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.