feat(service): LoadBalancer Service with DNS annotation

cmd/main.go

@@ -58,6 +58,7 @@ import (
 	"github.com/vmware-tanzu/nsx-operator/pkg/metrics"
 	"github.com/vmware-tanzu/nsx-operator/pkg/nsx"
 	"github.com/vmware-tanzu/nsx-operator/pkg/nsx/services/common"
+	"github.com/vmware-tanzu/nsx-operator/pkg/nsx/services/dns"
 	ipaddressallocationservice "github.com/vmware-tanzu/nsx-operator/pkg/nsx/services/ipaddressallocation"
 	"github.com/vmware-tanzu/nsx-operator/pkg/nsx/services/vpc"
 	"github.com/vmware-tanzu/nsx-operator/pkg/nsx/util"
@@ -192,6 +193,11 @@ func startServiceController(mgr manager.Manager, nsxClient *nsx.Client) {
 			log.Error(err, "Failed to initialize staticroute commonService", "controller", "StaticRoute")
 			os.Exit(1)
 		}
+		dnsRecordService, err := dns.InitializeDNSRecordService(commonService, vpcService)
+		if err != nil {
+			log.Error(err, "Failed to initialize DNS record service", "controller", "DNS")
+			os.Exit(1)
+		}
 		ipblocksInfoService := ipblocksinfo.InitializeIPBlocksInfoService(commonService, subnetService)
 
 		subnetBindingService, err := subnetbindingservice.InitializeService(commonService)
@@ -230,7 +236,7 @@ func startServiceController(mgr manager.Manager, nsxClient *nsx.Client) {
 		subnetSetReconcile = subnetset.NewSubnetSetReconciler(mgr, subnetService, subnetPortService, vpcService, subnetBindingService)
 		reconcilerList = append(
 			reconcilerList,
-			networkinfocontroller.NewNetworkInfoReconciler(mgr, vpcService, ipblocksInfoService),
+			networkinfocontroller.NewNetworkInfoReconciler(mgr, vpcService, ipblocksInfoService, dnsRecordService),
 			namespacecontroller.NewNamespaceReconciler(mgr, cf, vpcService, subnetService, subnetPortService),
 			subnet.NewSubnetReconciler(mgr, subnetService, subnetPortService, vpcService, subnetBindingService),
 			subnetSetReconcile,
@@ -241,7 +247,7 @@ func startServiceController(mgr manager.Manager, nsxClient *nsx.Client) {
 			subnetport.NewSubnetPortReconciler(mgr, subnetPortService, subnetService, vpcService, ipAddressAllocationService),
 			pod.NewPodReconciler(mgr, subnetPortService, subnetService, vpcService, nodeService),
 			networkpolicycontroller.NewNetworkPolicyReconciler(mgr, commonService, vpcService),
-			service.NewServiceLbReconciler(mgr, commonService),
+			service.NewServiceLbReconciler(mgr, commonService, dnsRecordService),
 			subnetbindingcontroller.NewReconciler(mgr, subnetService, subnetBindingService),
 			subnetipreservationcontroller.NewReconciler(mgr, subnetIPReservationService, subnetService),
 		)

go.mod

@@ -39,6 +39,7 @@ require (
 	go.uber.org/automaxprocs v1.6.0
 	go.uber.org/zap v1.27.1
 	golang.org/x/crypto v0.50.0
+	golang.org/x/net v0.53.0
 	golang.org/x/sync v0.20.0
 	golang.org/x/time v0.14.0
 	gopkg.in/ini.v1 v1.67.1
@@ -108,7 +109,6 @@ require (
 	go.yaml.in/yaml/v2 v2.4.4 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/mod v0.35.0 // indirect
-	golang.org/x/net v0.53.0 // indirect
 	golang.org/x/oauth2 v0.36.0 // indirect
 	golang.org/x/sys v0.43.0 // indirect
 	golang.org/x/term v0.42.0 // indirect

pkg/clean/clean.go

@@ -12,6 +12,7 @@ import (
 	"github.com/vmware-tanzu/nsx-operator/pkg/logger"
 	"github.com/vmware-tanzu/nsx-operator/pkg/nsx"
 	"github.com/vmware-tanzu/nsx-operator/pkg/nsx/services/common"
+	"github.com/vmware-tanzu/nsx-operator/pkg/nsx/services/dns"
 	"github.com/vmware-tanzu/nsx-operator/pkg/nsx/services/inventory"
 	"github.com/vmware-tanzu/nsx-operator/pkg/nsx/services/ipaddressallocation"
 	"github.com/vmware-tanzu/nsx-operator/pkg/nsx/services/nsxserviceaccount"
@@ -115,6 +116,10 @@ func InitializeCleanupService(cf *config.NSXOperatorConfig, nsxClient *nsx.Clien
 	if err != nil {
 		return nil, err
 	}
+	dnsRecordService, err := dns.InitializeDNSRecordService(commonService, vpcService)
+	if err != nil {
+		return nil, err
+	}
 	subnetPortService, err := subnetport.InitializeSubnetPort(commonService, vpcService, ipAddressAllocationService)
 	if err != nil {
 		return nil, err
@@ -155,6 +160,11 @@ func InitializeCleanupService(cf *config.NSXOperatorConfig, nsxClient *nsx.Clien
 			return ipAddressAllocationService, nil
 		}
 	}
+	wrapInitializeDNSRecordService := func(service common.Service) cleanupFunc {
+		return func() (interface{}, error) {
+			return dnsRecordService, nil
+		}
+	}
 	wrapInitializeSubnetBinding := func(service common.Service) cleanupFunc {
 		return func() (interface{}, error) {
 			return subnetbinding.InitializeService(service)
@@ -213,6 +223,7 @@ func InitializeCleanupService(cf *config.NSXOperatorConfig, nsxClient *nsx.Clien
 	loggedAdd("StaticRoute", wrapInitializeStaticRoute(commonService))
 	loggedAdd("VPC", wrapInitializeVPC(commonService))
 	loggedAdd("IPAddressAllocation", wrapInitializeIPAddressAllocation(commonService))
+	loggedAdd("DNSRecord", wrapInitializeDNSRecordService(commonService))
 	loggedAdd("Inventory", wrapInitializeInventory(commonService))
 	loggedAdd("LBInfraCleaner", wrapInitializeLBInfraCleaner(commonService))
 	loggedAdd("HealthCleaner", wrapInitializeHealthCleaner(commonService))

pkg/clean/clean_test.go

@@ -14,6 +14,7 @@ import (
 	"github.com/vmware-tanzu/nsx-operator/pkg/config"
 	"github.com/vmware-tanzu/nsx-operator/pkg/nsx"
 	"github.com/vmware-tanzu/nsx-operator/pkg/nsx/services/common"
+	"github.com/vmware-tanzu/nsx-operator/pkg/nsx/services/dns"
 	"github.com/vmware-tanzu/nsx-operator/pkg/nsx/services/inventory"
 	"github.com/vmware-tanzu/nsx-operator/pkg/nsx/services/ipaddressallocation"
 	"github.com/vmware-tanzu/nsx-operator/pkg/nsx/services/nsxserviceaccount"
@@ -187,6 +188,9 @@ func TestInitializeCleanupService_Success(t *testing.T) {
 	patches.ApplyFunc(ipaddressallocation.InitializeIPAddressAllocation, func(service common.Service, vpcService common.VPCServiceProvider, flag bool) (*ipaddressallocation.IPAddressAllocationService, error) {
 		return &ipaddressallocation.IPAddressAllocationService{}, nil
 	})
+	patches.ApplyFunc(dns.InitializeDNSRecordService, func(service common.Service, vpcService common.VPCServiceProvider) (*dns.DNSRecordService, error) {
+		return &dns.DNSRecordService{}, nil
+	})
 	patches.ApplyFunc(subnetbinding.InitializeService, func(service common.Service) (*subnetbinding.BindingService, error) {
 		return &subnetbinding.BindingService{}, nil
 	})
@@ -216,7 +220,7 @@ func TestInitializeCleanupService_Success(t *testing.T) {
 	// vpcPreCleaners: SubnetPort, SubnetBinding, SubnetIPReservation, Inventory, SecurityPolicy, LBInfraCleaner, NSXServiceAccount, HealthCleaner = 8
 	assert.Len(t, cleanupService.vpcPreCleaners, 7)
 	assert.Len(t, cleanupService.vpcChildrenCleaners, 5)
-	assert.Len(t, cleanupService.infraCleaners, 2)
+	assert.Len(t, cleanupService.infraCleaners, 3)
 }
 
 func TestInitializeCleanupService_VPCError(t *testing.T) {
@@ -245,6 +249,9 @@ func TestInitializeCleanupService_VPCError(t *testing.T) {
 	patches.ApplyFunc(ipaddressallocation.InitializeIPAddressAllocation, func(service common.Service, vpcService common.VPCServiceProvider, flag bool) (*ipaddressallocation.IPAddressAllocationService, error) {
 		return &ipaddressallocation.IPAddressAllocationService{}, nil
 	})
+	patches.ApplyFunc(dns.InitializeDNSRecordService, func(service common.Service, vpcService common.VPCServiceProvider) (*dns.DNSRecordService, error) {
+		return &dns.DNSRecordService{}, nil
+	})
 	patches.ApplyFunc(subnetbinding.InitializeService, func(service common.Service) (*subnetbinding.BindingService, error) {
 		return &subnetbinding.BindingService{}, nil
 	})

pkg/controllers/networkinfo/networkinfo_controller.go

@@ -6,7 +6,9 @@ package networkinfo
 import (
 	"context"
 	"fmt"
+	"maps"
 	"net"
+	"slices"
 	"strings"
 	"time"
 
@@ -72,6 +74,7 @@ var (
 	nsMsgVPCAutoSNATDisabled      = newNsUnreadyMessage("SNAT is not enabled in System VPC", NSReasonVPCSnatNotReady)
 	nsMsgVPCDefaultSNATIPGetError = newNsUnreadyMessage("Default SNAT IP is not allocated in VPC: %v", NSReasonVPCSnatNotReady)
 	nsMsgVPCIsReady               = newNsUnreadyMessage("", "")
+	nsMsgVPCDNSZonesSyncError     = newNsUnreadyMessage("Failed to sync permitted DNS zones from NSX: %v", NSReasonVPCNotReady)
 )
 
 type nsUnreadyMessage struct {
@@ -99,12 +102,18 @@ func (m *nsUnreadyMessage) getNSNetworkCondition(options ...interface{}) *corev1
 	return cond
 }
 
+// dnsZoneSyncer is the minimal DNS interface needed by NetworkInfoReconciler for VPC DNS zone lookups.
+type dnsZoneSyncer interface {
+	SyncDNSZonesByVpcNetworkConfig(vpcConfig *v1alpha1.VPCNetworkConfiguration) (map[string]string, error)
+}
+
 // NetworkInfoReconciler NetworkInfoReconcile reconciles a NetworkInfo object
 // Actually it is more like a shell, which is used to manage nsx VPC
 type NetworkInfoReconciler struct {
 	Client              client.Client
 	Scheme              *apimachineryruntime.Scheme
 	Service             *vpc.VPCService
+	DNSRecordService    dnsZoneSyncer
 	IPBlocksInfoService *ipblocksinfo.IPBlocksInfoService
 	Recorder            record.EventRecorder
 	queue               workqueue.TypedRateLimitingInterface[reconcile.Request]
@@ -445,9 +454,29 @@ func (r *NetworkInfoReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 		NetworkStack:            networkStack,
 	}
 
+	var allowedDNSDomains []string
+	if r.DNSRecordService != nil && len(nc.Spec.DNSZones) > 0 {
+		zoneMap, err := r.DNSRecordService.SyncDNSZonesByVpcNetworkConfig(nc)
+		if err != nil {
+			r.StatusUpdater.UpdateFail(ctx, networkInfoCR, err, "Failed to sync DNS zones for VPC network configuration", setNetworkInfoVPCStatusWithError, state)
+			setNSNetworkReadyCondition(ctx, r.Client, req.Namespace, nsMsgVPCDNSZonesSyncError.getNSNetworkCondition(err))
+			return common.ResultRequeueAfter10sec, err
+		}
+		// Use a Set to ensure each domain name in the allowed list is unique.
+		domainNamesSet := sets.New[string]()
+		for _, domainName := range slices.Sorted(maps.Values(zoneMap)) {
+			if domainName == "" {
+				continue
+			}
+			domainNamesSet.Insert(domainName)
+		}
+		allowedDNSDomains = domainNamesSet.UnsortedList()
+		slices.Sort(allowedDNSDomains)
+	}
+
 	// AKO needs to know the AVI subnet path created by NSX
 	setVPCNetworkConfigurationStatusWithLBS(ctx, r.Client, ncName, state.Name, aviSubnetPath, nsxLBSPath, *createdVpc.Path)
-	r.StatusUpdater.UpdateSuccess(ctx, networkInfoCR, setNetworkInfoVPCStatus, state)
+	r.StatusUpdater.UpdateSuccess(ctx, networkInfoCR, setNetworkInfoVPCStatus, state, allowedDNSDomains)
 
 	if retryWithSystemVPC {
 		setNSNetworkReadyCondition(ctx, r.Client, req.Namespace, systemNSCondition)
@@ -844,11 +873,12 @@ func (r *NetworkInfoReconciler) StartController(mgr ctrl.Manager, _ webhook.Serv
 	return nil
 }
 
-func NewNetworkInfoReconciler(mgr ctrl.Manager, vpcService *vpc.VPCService, ipblocksInfoService *ipblocksinfo.IPBlocksInfoService) *NetworkInfoReconciler {
+func NewNetworkInfoReconciler(mgr ctrl.Manager, vpcService *vpc.VPCService, ipblocksInfoService *ipblocksinfo.IPBlocksInfoService, dnsRecordService dnsZoneSyncer) *NetworkInfoReconciler {
 	networkInfoReconciler := &NetworkInfoReconciler{
-		Client:   mgr.GetClient(),
-		Scheme:   mgr.GetScheme(),
-		Recorder: mgr.GetEventRecorderFor("networkinfo-controller"), //nolint:staticcheck // record.EventRecorder; StatusUpdater not on events.EventRecorder yet
+		Client:           mgr.GetClient(),
+		Scheme:           mgr.GetScheme(),
+		DNSRecordService: dnsRecordService,
+		Recorder:         mgr.GetEventRecorderFor("networkinfo-controller"), //nolint:staticcheck // record.EventRecorder; StatusUpdater not on events.EventRecorder yet
 	}
 	networkInfoReconciler.Service = vpcService
 	networkInfoReconciler.IPBlocksInfoService = ipblocksInfoService