Handle A and AAAA records TTL properly in dnscache

.github/workflows/build.yaml

@@ -37,7 +37,7 @@ jobs:
         credentials_json: '${{ secrets.GCP_SA_KEY }}'
 
     - name: Set up Cloud SDK
-      uses: google-github-actions/setup-gcloud@v0
+      uses: google-github-actions/setup-gcloud@v2
 
     - name: Set up Go 1.25
       uses: actions/setup-go@v5

Makefile

@@ -66,8 +66,8 @@ vet:
 
 # Generate code
 generate: controller-gen mockgen manifests
-	go generate ./...
 	$(CONTROLLER_GEN) object paths="./..."
+	go generate ./...
 
 .PHONY: controller-gen
 controller-gen: $(CONTROLLER_GEN)

api/v1/clusterwidenetworkpolicy_types.go

@@ -153,11 +153,18 @@ type FQDNSelector struct {
 
 // IPSet stores set name association to IP addresses
 type IPSet struct {
-	FQDN           string      `json:"fqdn,omitempty"`
-	SetName        string      `json:"setName,omitempty"`
-	IPs            []string    `json:"ips,omitempty"`
+	// FQDN which this IP set is for.
+	FQDN string `json:"fqdn,omitempty"`
+	//  A hash value merely used for reference.
+	SetName string `json:"setName,omitempty"`
+	// Deprecated: use `IPExpirationTimes` instead.
+	IPs []string `json:"ips,omitempty"`
+	// Deprecated: use `IPExpirationTimes` instead.
 	ExpirationTime metav1.Time `json:"expirationTime,omitempty"`
-	Version        IPVersion   `json:"version,omitempty"`
+	// Maps IP addresses to their expiration times.
+	IPExpirationTimes map[string]metav1.Time `json:"ipExpirationTimes,omitempty"`
+	// Whether this is a IPv4 or a IPv6 set.
+	Version IPVersion `json:"version,omitempty"`
 }
 
 func (l *ClusterwideNetworkPolicyList) GetFQDNs() []FQDNSelector {

config/crd/bases/metal-stack.io_clusterwidenetworkpolicies.yaml

@@ -244,17 +244,28 @@ spec:
                     description: IPSet stores set name association to IP addresses
                     properties:
                       expirationTime:
+                        description: 'Deprecated: use `IPExpirationTimes` instead.'
                         format: date-time
                         type: string
                       fqdn:
+                        description: FQDN which this IP set is for.
                         type: string
+                      ipExpirationTimes:
+                        additionalProperties:
+                          format: date-time
+                          type: string
+                        description: Maps IP addresses to their expiration times.
+                        type: object
                       ips:
+                        description: 'Deprecated: use `IPExpirationTimes` instead.'
                         items:
                           type: string
                         type: array
                       setName:
+                        description: ' A hash value merely used for reference.'
                         type: string
                       version:
+                        description: Whether this is a IPv4 or a IPv6 set.
                         type: string
                     type: object
                   type: array

controllers/clusterwidenetworkpolicy_controller.go

@@ -18,10 +18,12 @@ import (
 	"k8s.io/client-go/tools/record"
 
 	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/builder"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/event"
 	"sigs.k8s.io/controller-runtime/pkg/handler"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
+	"sigs.k8s.io/controller-runtime/pkg/predicate"
 	"sigs.k8s.io/controller-runtime/pkg/source"
 
 	firewallv2 "github.com/metal-stack/firewall-controller-manager/api/v2"
@@ -38,6 +40,7 @@ type ClusterwideNetworkPolicyReconciler struct {
 	SeedNamespace string
 
 	Log      logr.Logger
+	Ctx      context.Context
 	Recorder record.EventRecorder
 
 	Interval time.Duration
@@ -57,7 +60,7 @@ func (r *ClusterwideNetworkPolicyReconciler) SetupWithManager(mgr ctrl.Manager)
 	}
 
 	return ctrl.NewControllerManagedBy(mgr).
-		For(&firewallv1.ClusterwideNetworkPolicy{}).
+		For(&firewallv1.ClusterwideNetworkPolicy{}, builder.WithPredicates(predicate.GenerationChangedPredicate{})).
 		Watches(&corev1.Service{}, &handler.EnqueueRequestForObject{}).
 		WatchesRawSource(&source.Channel{Source: scheduleChan}, &handler.EnqueueRequestForObject{}).
 		Complete(r)
@@ -104,7 +107,7 @@ func (r *ClusterwideNetworkPolicyReconciler) Reconcile(ctx context.Context, _ ct
 	cwnps.Items = validCwnps
 
 	nftablesFirewall := nftables.NewFirewall(f, &cwnps, &services, r.DnsProxy, r.Log, r.Recorder)
-	if err := r.manageDNSProxy(ctx, f, cwnps, nftablesFirewall); err != nil {
+	if err := r.manageDNSProxy(f, cwnps, nftablesFirewall); err != nil {
 		return ctrl.Result{}, err
 	}
 	updated, err := nftablesFirewall.Reconcile()
@@ -127,7 +130,7 @@ func (r *ClusterwideNetworkPolicyReconciler) Reconcile(ctx context.Context, _ ct
 // manageDNSProxy start DNS proxy if toFQDN rules are present
 // if rules were deleted it will stop running DNS proxy
 func (r *ClusterwideNetworkPolicyReconciler) manageDNSProxy(
-	ctx context.Context, f *firewallv2.Firewall, cwnps firewallv1.ClusterwideNetworkPolicyList, nftablesFirewall *nftables.Firewall,
+	f *firewallv2.Firewall, cwnps firewallv1.ClusterwideNetworkPolicyList, nftablesFirewall *nftables.Firewall,
 ) (err error) {
 	// Skipping is needed for testing
 	if r.SkipDNS {
@@ -142,10 +145,10 @@ func (r *ClusterwideNetworkPolicyReconciler) manageDNSProxy(
 
 	if enableDNS && r.DnsProxy == nil {
 		r.Log.Info("DNS Proxy is initialized")
-		if r.DnsProxy, err = dns.NewDNSProxy(f.Spec.DNSServerAddress, f.Spec.DNSPort, ctrl.Log.WithName("DNS proxy")); err != nil {
+		if r.DnsProxy, err = dns.NewDNSProxy(r.Ctx, f.Spec.DNSServerAddress, f.Spec.DNSPort, r.ShootClient, ctrl.Log.WithName("DNS proxy")); err != nil {
 			return fmt.Errorf("failed to init DNS proxy: %w", err)
 		}
-		go r.DnsProxy.Run(ctx)
+		go r.DnsProxy.Run()
 	} else if !enableDNS && r.DnsProxy != nil {
 		r.Log.Info("DNS Proxy is stopped")
 		r.DnsProxy.Stop()
@@ -217,7 +220,6 @@ func (r *ClusterwideNetworkPolicyReconciler) allowedCWNPs(ctx context.Context, c
 	}
 
 	for _, cwnp := range cwnps {
-		cwnp := cwnp
 		oke, err := r.validateCWNPEgressTargetPrefix(cwnp, egressSet)
 		if err != nil {
 			return nil, err

controllers/firewall_controller.go

@@ -39,6 +39,7 @@ type FirewallReconciler struct {
 
 	Recorder record.EventRecorder
 	Log      logr.Logger
+	Ctx      context.Context
 	Scheme   *runtime.Scheme
 
 	Updater      *updater.Updater

main.go

@@ -91,7 +91,13 @@ func main() {
 		return
 	}
 
-	jsonHandler := slog.NewJSONHandler(os.Stdout, &slog.HandlerOptions{})
+	var sll slog.Level
+	err := sll.UnmarshalText([]byte(logLevel))
+	if err != nil {
+		setupLog.Error(err, "failed to unmarshal log level")
+		os.Exit(1)
+	}
+	jsonHandler := slog.NewJSONHandler(os.Stdout, &slog.HandlerOptions{Level: sll})
 	l := slog.New(jsonHandler)
 
 	ctrl.SetLogger(logr.FromSlogHandler(jsonHandler))
@@ -105,7 +111,6 @@ func main() {
 
 	// FIXME validation and controller start should be refactored into own func which returns error
 	// instead Fatalw or Error and panic here.
-	var err error
 	if firewallName == "" {
 		firewallName, err = os.Hostname()
 		if err != nil {
@@ -263,6 +268,7 @@ func main() {
 		SeedClient:    seedMgr.GetClient(),
 		ShootClient:   shootMgr.GetClient(),
 		Log:           ctrl.Log.WithName("controllers").WithName("ClusterwideNetworkPolicy"),
+		Ctx:           ctx,
 		Recorder:      shootMgr.GetEventRecorderFor("FirewallController"),
 		FirewallName:  firewallName,
 		SeedNamespace: seedNamespace,