antrea-io · hkiiita · Nov 13, 2024 · Nov 14, 2024 · Nov 15, 2024 · Nov 15, 2024
diff --git a/build/charts/antrea/conf/antrea-agent.conf b/build/charts/antrea/conf/antrea-agent.conf
@@ -306,10 +306,10 @@ kubeAPIServerOverride: {{ .Values.kubeAPIServerOverride | quote }}
 # 10.96.0.10:53, [fd00:10:96::a]:53).
 dnsServerOverride: {{ .Values.dnsServerOverride | quote }}
 
-# The minTTL setting helps address the problem of applications caching DNS response IPs beyond the TTL value for the DNS record.
+# The fqdnCacheMinTTL setting helps address the problem of applications caching DNS response IPs beyond the TTL value for the DNS record.
 # It is used to enforce FQDN policy rules, ensuring that resolved IPs are included in datapath rules for as long as the application is caching them.
 # This value should ideally be set to the maximum caching duration across all applications.
-minTTL: {{ .Values.minTTL }}
+fqdnCacheMinTTL: {{ .Values.minTTL }}
-fqdnCacheMinTTL: {{ .Values.minTTL }}
+fqdnCacheMinTTL: {{ .Values.fqdnCacheMinTTL }}
-fqdnCacheMinTTL: {{ .Values.minTTL }}
+fqdnCacheMinTTL: {{ .Values.fqdnCacheMinTTL }}
 
 # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
 # https://golang.org/pkg/crypto/tls/#pkg-constants

diff --git a/build/charts/antrea/values.yaml b/build/charts/antrea/values.yaml
@@ -189,7 +189,7 @@ dnsServerOverride: ""
 # -- The minTTL setting helps address the problem of applications caching DNS response IPs indefinitely.
 # The Cluster administrators should configure this value, ideally setting it to be equal to or greater than the maximum TTL
 # value of the application's DNS cache.
-minTTL: 0
+fqdnCacheMinTTL: 0
 # -- IPv4 CIDR range used for Services. Required when AntreaProxy is disabled.
 serviceCIDR: ""
 # -- IPv6 CIDR range used for Services. Required when AntreaProxy is disabled.

diff --git a/build/yamls/antrea-aks.yml b/build/yamls/antrea-aks.yml
@@ -4234,10 +4234,10 @@ data:
     # 10.96.0.10:53, [fd00:10:96::a]:53).
     dnsServerOverride: ""
 
-    # The minTTL setting helps address the problem of applications caching DNS response IPs beyond the TTL value for the DNS record.
+    # The fqdnCacheMinTTL setting helps address the problem of applications caching DNS response IPs beyond the TTL value for the DNS record.
     # It is used to enforce FQDN policy rules, ensuring that resolved IPs are included in datapath rules for as long as the application is caching them.
     # This value should ideally be set to the maximum caching duration across all applications.
-    minTTL: 0
+    fqdnCacheMinTTL: 
 
     # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
     # https://golang.org/pkg/crypto/tls/#pkg-constants
@@ -5388,7 +5388,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: c235e6afdb719cee68a98bec85a0b40682b2d85b51bf4196d1556f1478ce2633
+        checksum/config: 8b260e981a71f970ab28471bcf056893615089492f917f16ee3b8d749ed6d348
       labels:
         app: antrea
         component: antrea-agent
@@ -5626,7 +5626,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: c235e6afdb719cee68a98bec85a0b40682b2d85b51bf4196d1556f1478ce2633
+        checksum/config: 8b260e981a71f970ab28471bcf056893615089492f917f16ee3b8d749ed6d348
       labels:
         app: antrea
         component: antrea-controller

diff --git a/build/yamls/antrea-eks.yml b/build/yamls/antrea-eks.yml
@@ -4234,10 +4234,10 @@ data:
     # 10.96.0.10:53, [fd00:10:96::a]:53).
     dnsServerOverride: ""
 
-    # The minTTL setting helps address the problem of applications caching DNS response IPs beyond the TTL value for the DNS record.
+    # The fqdnCacheMinTTL setting helps address the problem of applications caching DNS response IPs beyond the TTL value for the DNS record.
     # It is used to enforce FQDN policy rules, ensuring that resolved IPs are included in datapath rules for as long as the application is caching them.
     # This value should ideally be set to the maximum caching duration across all applications.
-    minTTL: 0
+    fqdnCacheMinTTL: 
 
     # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
     # https://golang.org/pkg/crypto/tls/#pkg-constants
@@ -5388,7 +5388,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: c235e6afdb719cee68a98bec85a0b40682b2d85b51bf4196d1556f1478ce2633
+        checksum/config: 8b260e981a71f970ab28471bcf056893615089492f917f16ee3b8d749ed6d348
       labels:
         app: antrea
         component: antrea-agent
@@ -5627,7 +5627,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: c235e6afdb719cee68a98bec85a0b40682b2d85b51bf4196d1556f1478ce2633
+        checksum/config: 8b260e981a71f970ab28471bcf056893615089492f917f16ee3b8d749ed6d348
       labels:
         app: antrea
         component: antrea-controller

diff --git a/build/yamls/antrea-gke.yml b/build/yamls/antrea-gke.yml
@@ -4234,10 +4234,10 @@ data:
     # 10.96.0.10:53, [fd00:10:96::a]:53).
     dnsServerOverride: ""
 
-    # The minTTL setting helps address the problem of applications caching DNS response IPs beyond the TTL value for the DNS record.
+    # The fqdnCacheMinTTL setting helps address the problem of applications caching DNS response IPs beyond the TTL value for the DNS record.
     # It is used to enforce FQDN policy rules, ensuring that resolved IPs are included in datapath rules for as long as the application is caching them.
     # This value should ideally be set to the maximum caching duration across all applications.
-    minTTL: 0
+    fqdnCacheMinTTL: 
 
     # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
     # https://golang.org/pkg/crypto/tls/#pkg-constants
@@ -5388,7 +5388,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 6c71e376d2b2ea5a377700084d271a88925337887b10a4432d68b7d269911d90
+        checksum/config: 96a86cbe034da4285e15a136b3c05b954b12d148eb54aeaf1a3ad543fb2588c2
       labels:
         app: antrea
         component: antrea-agent
@@ -5624,7 +5624,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 6c71e376d2b2ea5a377700084d271a88925337887b10a4432d68b7d269911d90
+        checksum/config: 96a86cbe034da4285e15a136b3c05b954b12d148eb54aeaf1a3ad543fb2588c2
       labels:
         app: antrea
         component: antrea-controller

diff --git a/build/yamls/antrea-ipsec.yml b/build/yamls/antrea-ipsec.yml
@@ -4247,10 +4247,10 @@ data:
     # 10.96.0.10:53, [fd00:10:96::a]:53).
     dnsServerOverride: ""
 
-    # The minTTL setting helps address the problem of applications caching DNS response IPs beyond the TTL value for the DNS record.
+    # The fqdnCacheMinTTL setting helps address the problem of applications caching DNS response IPs beyond the TTL value for the DNS record.
     # It is used to enforce FQDN policy rules, ensuring that resolved IPs are included in datapath rules for as long as the application is caching them.
     # This value should ideally be set to the maximum caching duration across all applications.
-    minTTL: 0
+    fqdnCacheMinTTL: 
 
     # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
     # https://golang.org/pkg/crypto/tls/#pkg-constants
@@ -5401,7 +5401,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: d4ce97447743fcc1980c3e46b6ac2ee821a64817bee4671d6ce838813643dd24
+        checksum/config: 5deeee1fbf11902f265061f60855c1720e19fb0521692c7d22e130f880947c78
         checksum/ipsec-secret: d0eb9c52d0cd4311b6d252a951126bf9bea27ec05590bed8a394f0f792dcb2a4
       labels:
         app: antrea
@@ -5683,7 +5683,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: d4ce97447743fcc1980c3e46b6ac2ee821a64817bee4671d6ce838813643dd24
+        checksum/config: 5deeee1fbf11902f265061f60855c1720e19fb0521692c7d22e130f880947c78
       labels:
         app: antrea
         component: antrea-controller

diff --git a/build/yamls/antrea.yml b/build/yamls/antrea.yml
@@ -4234,10 +4234,10 @@ data:
     # 10.96.0.10:53, [fd00:10:96::a]:53).
     dnsServerOverride: ""
 
-    # The minTTL setting helps address the problem of applications caching DNS response IPs beyond the TTL value for the DNS record.
+    # The fqdnCacheMinTTL setting helps address the problem of applications caching DNS response IPs beyond the TTL value for the DNS record.
     # It is used to enforce FQDN policy rules, ensuring that resolved IPs are included in datapath rules for as long as the application is caching them.
     # This value should ideally be set to the maximum caching duration across all applications.
-    minTTL: 0
+    fqdnCacheMinTTL: 
 
     # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
     # https://golang.org/pkg/crypto/tls/#pkg-constants
@@ -5388,7 +5388,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: d6ebdff39564e13df1eabb4bcf0894359a6b03bd8b8b528168a94b3e7a0ba319
+        checksum/config: dbebe7ad81b43b8a9e102971e323ac5ab89137efac9d4f5140c256f454ec5d66
       labels:
         app: antrea
         component: antrea-agent
@@ -5624,7 +5624,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: d6ebdff39564e13df1eabb4bcf0894359a6b03bd8b8b528168a94b3e7a0ba319
+        checksum/config: dbebe7ad81b43b8a9e102971e323ac5ab89137efac9d4f5140c256f454ec5d66
       labels:
         app: antrea
         component: antrea-controller

diff --git a/cmd/antrea-agent/agent.go b/cmd/antrea-agent/agent.go
@@ -528,7 +528,7 @@ func run(o *Options) error {
 		nodeConfig,
 		podNetworkWait,
 		l7Reconciler,
-		o.config.MinTTL,
+		uint32(o.config.FqdnCacheMinTTL),
 	)
 	if err != nil {
 		return fmt.Errorf("error creating new NetworkPolicy controller: %v", err)

diff --git a/cmd/antrea-agent/options.go b/cmd/antrea-agent/options.go
@@ -155,13 +155,19 @@ func (o *Options) validate(args []string) error {
 		return fmt.Errorf("nodeType %s requires feature gate ExternalNode to be enabled", o.config.NodeType)
 	}
 
-	if o.config.NodeType == config.ExternalNode.String() {
+	// validate FqdnCacheMinTTL
+	if o.config.FqdnCacheMinTTL < 0 {
+		return fmt.Errorf("fqdnCacheMinTTL set to an invalid value, its must be a positive integer")
-		return fmt.Errorf("fqdnCacheMinTTL set to an invalid value, its must be a positive integer")
+		return fmt.Errorf("fqdnCacheMinTTL must be greater than or equal to 0")
-		return fmt.Errorf("fqdnCacheMinTTL set to an invalid value, its must be a positive integer")
+		return fmt.Errorf("fqdnCacheMinTTL must be greater than or equal to 0")
+	}
+
+	switch o.config.NodeType {
+	case config.ExternalNode.String():
 		o.nodeType = config.ExternalNode
 		return o.validateExternalNodeOptions()
-	} else if o.config.NodeType == config.K8sNode.String() {
+	case config.K8sNode.String():
 		o.nodeType = config.K8sNode
 		return o.validateK8sNodeOptions()
-	} else {
+	default:
 		return fmt.Errorf("unsupported nodeType %s", o.config.NodeType)
 	}
 }
@@ -605,9 +611,6 @@ func (o *Options) validateK8sNodeOptions() error {
 		o.dnsServerOverride = hostPort
 	}
 
-	// Ensure that the minTTL is not negative.
-	o.config.MinTTL = max(o.config.MinTTL, 0)
-
 	if err := o.validateSecondaryNetworkConfig(); err != nil {
 		return fmt.Errorf("failed to validate secondary network config: %v", err)
 	}

diff --git a/pkg/agent/controller/networkpolicy/fqdn.go b/pkg/agent/controller/networkpolicy/fqdn.go
@@ -161,7 +161,7 @@ type fqdnController struct {
 	clock clock.Clock
 }
 
-func newFQDNController(client openflow.Client, allocator *idAllocator, dnsServerOverride string, dirtyRuleHandler func(string), v4Enabled, v6Enabled bool, gwPort uint32, clock clock.WithTicker, minTTL int) (*fqdnController, error) {
+func newFQDNController(client openflow.Client, allocator *idAllocator, dnsServerOverride string, dirtyRuleHandler func(string), v4Enabled, v6Enabled bool, gwPort uint32, clock clock.WithTicker, fqdnCacheMinTTL uint32) (*fqdnController, error) {
 	controller := &fqdnController{
 		ofClient:         client,
 		dirtyRuleHandler: dirtyRuleHandler,
@@ -183,7 +183,7 @@ func newFQDNController(client openflow.Client, allocator *idAllocator, dnsServer
 		ipv6Enabled:            v6Enabled,
 		gwPort:                 gwPort,
 		clock:                  clock,
-		minTTL:                 uint32(minTTL),
+		minTTL:                 fqdnCacheMinTTL,
 	}
 	if controller.ofClient != nil {
 		if err := controller.ofClient.NewDNSPacketInConjunction(dnsInterceptRuleID); err != nil {

diff --git a/pkg/agent/controller/networkpolicy/networkpolicy_controller.go b/pkg/agent/controller/networkpolicy/networkpolicy_controller.go
@@ -196,7 +196,7 @@ func NewNetworkPolicyController(antreaClientGetter client.AntreaClientProvider,
 	gwPort, tunPort uint32,
 	nodeConfig *config.NodeConfig,
 	podNetworkWait *utilwait.Group,
-	l7Reconciler *l7engine.Reconciler, minTTL int) (*Controller, error) {
+	l7Reconciler *l7engine.Reconciler, fqdnCacheMinTTL uint32) (*Controller, error) {
 	idAllocator := newIDAllocator(asyncRuleDeleteInterval, dnsInterceptRuleID)
 	c := &Controller{
 		antreaClientProvider: antreaClientGetter,
@@ -227,7 +227,7 @@ func NewNetworkPolicyController(antreaClientGetter client.AntreaClientProvider,
 
 	var err error
 	if antreaPolicyEnabled {
-		if c.fqdnController, err = newFQDNController(ofClient, idAllocator, dnsServerOverride, c.enqueueRule, v4Enabled, v6Enabled, gwPort, clock.RealClock{}, minTTL); err != nil {
+		if c.fqdnController, err = newFQDNController(ofClient, idAllocator, dnsServerOverride, c.enqueueRule, v4Enabled, v6Enabled, gwPort, clock.RealClock{}, fqdnCacheMinTTL); err != nil {
 			return nil, err
 		}
 

diff --git a/pkg/config/agent/config.go b/pkg/config/agent/config.go
@@ -158,7 +158,7 @@ type AgentConfig struct {
 	// The minTTL setting helps address the problem of applications caching DNS response IPs indefinitely.
 	// The Cluster administrators should configure this value, ideally setting it to be equal to or greater than the maximum TTL
 	// value of the application's DNS cache.
-	MinTTL int `yaml:"minTTL,omitempty"`
+	FqdnCacheMinTTL int `yaml:"fqdnCacheMinTTL,omitempty"`
 	// Cipher suites to use.
 	TLSCipherSuites string `yaml:"tlsCipherSuites,omitempty"`
 	// TLS min version.