Add DNS-over-TLS related types

operator/v1/0000_70_dns-operator_00.crd.yaml

@@ -160,6 +160,24 @@ spec:
                       description: forwardPlugin defines a schema for configuring
                         CoreDNS to proxy DNS messages to upstream resolvers.
                       properties:
+                        caBundle:
+                          description: "caBundle references a ConfigMap that must
+                            contain either a single CA Certificate or a CA Bundle
+                            (in the case of multiple upstreams signed by different
+                            CAs). This allows cluster administrators to provide their
+                            own CA or CA bundle for validating the certificate of
+                            upstream resolvers. \n 1. The configmap must contain a
+                            `cabundle.crt` key 2. The value must be a PEM encoded
+                            certificate or bundle. 3. The administrator must create
+                            this configmap in the openshift-config namespace."
+                          properties:
+                            name:
+                              description: name is the metadata.name of the referenced
+                                config map
+                              type: string
+                          required:
+                          - name
+                          type: object
                         policy:
                           default: Random
                           description: "policy is used to determine the order in which
@@ -176,6 +194,23 @@ spec:
                           - RoundRobin
                           - Sequential
                           type: string
+                        serverName:
+                          description: serverName is the upstream server to connect
+                            to for DNS resolution. This is required when Transport
+                            is set to "tls"
+                          pattern: ^([a-zA-Z0-9\p{S}\p{L}]((-?[a-zA-Z0-9\p{S}\p{L}]{0,62})?)|([a-zA-Z0-9\p{S}\p{L}](([a-zA-Z0-9-\p{S}\p{L}]{0,61}[a-zA-Z0-9\p{S}\p{L}])?)(\.)){1,}([a-zA-Z0-9-\p{L}]){2,63})$
+                          type: string
+                        transport:
+                          description: transport allows cluster administrators to
+                            opt-in to using a DNS-over-TLS connection between cluster
+                            DNS and an upstream resolver(s). Configuring TLS as the
+                            transport at this level without configuring a CABundle
+                            will result in the system certificates being used to verify
+                            the serving certificate of the upstream resolver(s).
+                          enum:
+                          - tls
+                          - cleartext
+                          type: string
                         upstreams:
                           description: "upstreams is a list of resolvers to forward
                             name queries for subdomains of Zones. Each instance of
@@ -213,6 +248,23 @@ spec:
                   default (\".\") server \n If this field is not specified, the upstream
                   used will default to /etc/resolv.conf, with policy \"sequential\""
                 properties:
+                  caBundle:
+                    description: "caBundle references a ConfigMap that must contain
+                      either a single CA Certificate or a CA Bundle (in the case of
+                      multiple upstreams signed by different CAs). This allows cluster
+                      administrators to provide their own CA or CA bundle for validating
+                      the certificate of upstream resolvers. \n 1. The configmap must
+                      contain a `cabundle.crt` key 2. The value must be a PEM encoded
+                      certificate or bundle. 3. The administrator must create this
+                      configmap in the openshift-config namespace."
+                    properties:
+                      name:
+                        description: name is the metadata.name of the referenced config
+                          map
+                        type: string
+                    required:
+                    - name
+                    type: object
                   policy:
                     default: Sequential
                     description: "Policy is used to determine the order in which upstream
@@ -228,6 +280,22 @@ spec:
                     - RoundRobin
                     - Sequential
                     type: string
+                  serverName:
+                    description: serverName is the upstream server to connect to for
+                      DNS resolution. This is required when Transport is set to "tls"
+                    pattern: ^([a-zA-Z0-9\p{S}\p{L}]((-?[a-zA-Z0-9\p{S}\p{L}]{0,62})?)|([a-zA-Z0-9\p{S}\p{L}](([a-zA-Z0-9-\p{S}\p{L}]{0,61}[a-zA-Z0-9\p{S}\p{L}])?)(\.)){1,}([a-zA-Z0-9-\p{L}]){2,63})$
+                    type: string
+                  transport:
+                    description: transport allows cluster administrators to opt-in
+                      to using a DNS-over-TLS connection between cluster DNS and an
+                      upstream resolver(s). Configuring TLS as the transport at this
+                      level without configuring a CABundle will result in the system
+                      certificates being used to verify the serving certificate of
+                      the upstream resolver(s).
+                    enum:
+                    - tls
+                    - cleartext
+                    type: string
                   upstreams:
                     default:
                     - type: SystemResolvConf

operator/v1/types_dns.go

@@ -1,6 +1,7 @@
 package v1
 
 import (
+	v1 "github.com/openshift/api/config/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	corev1 "k8s.io/api/core/v1"
@@ -130,6 +131,19 @@ type Server struct {
 	ForwardPlugin ForwardPlugin `json:"forwardPlugin"`
 }
 
+// DNSTransport is indicates what type of connection should be used
+// +kubebuilder:validation:Enum=tls;cleartext
+type DNSTransport string
+
+const (
+	// TLSTransport indicates that TLS should be used for the connection
+	TLSTransport DNSTransport = "tls"
+
+	// CleartextTransport indicates that no encryption should be used for
+	// the connection.
+	CleartextTransport DNSTransport = "cleartext"
+)
+
 // ForwardingPolicy is the policy to use when forwarding DNS requests.
 // +kubebuilder:validation:Enum=Random;RoundRobin;Sequential
 type ForwardingPolicy string
@@ -170,6 +184,35 @@ type ForwardPlugin struct {
 	// +optional
 	// +kubebuilder:default:="Random"
 	Policy ForwardingPolicy `json:"policy,omitempty"`
+
+	// transport allows cluster administrators to opt-in to using a DNS-over-TLS
+	// connection between cluster DNS and an upstream resolver(s). Configuring
+	// TLS as the transport at this level without configuring a CABundle will
+	// result in the system certificates being used to verify the serving
+	// certificate of the upstream resolver(s).
+	//
+	// +optional
+	Transport DNSTransport `json:"transport,omitempty"`
+
+	// caBundle references a ConfigMap that must contain either a single
+	// CA Certificate or a CA Bundle (in the case of multiple upstreams signed
+	// by different CAs). This allows cluster administrators to provide their
+	// own CA or CA bundle for validating the certificate of upstream resolvers.
+	//
+	// 1. The configmap must contain a `cabundle.crt` key
+	// 2. The value must be a PEM encoded certificate or bundle.
+	// 3. The administrator must create this configmap in the openshift-config namespace.
+	//
+	// +optional
+	// +kubebuilder:validation:Optional
+	CABundle v1.ConfigMapNameReference `json:"caBundle,omitempty"`
+
+	// serverName is the upstream server to connect to for DNS resolution.
+	// This is required when Transport is set to "tls"
+	//
+	// +optional
+	// +kubebuilder:validation:Pattern=`^([a-zA-Z0-9\p{S}\p{L}]((-?[a-zA-Z0-9\p{S}\p{L}]{0,62})?)|([a-zA-Z0-9\p{S}\p{L}](([a-zA-Z0-9-\p{S}\p{L}]{0,61}[a-zA-Z0-9\p{S}\p{L}])?)(\.)){1,}([a-zA-Z0-9-\p{L}]){2,63})$`
+	ServerName string `json:"serverName,omitempty"`
 }
 
 // UpstreamResolvers defines a schema for configuring the CoreDNS forward plugin in the
@@ -203,6 +246,35 @@ type UpstreamResolvers struct {
 	// +optional
 	// +kubebuilder:default="Sequential"
 	Policy ForwardingPolicy `json:"policy,omitempty"`
+
+	// transport allows cluster administrators to opt-in to using a DNS-over-TLS
+	// connection between cluster DNS and an upstream resolver(s). Configuring
+	// TLS as the transport at this level without configuring a CABundle will
+	// result in the system certificates being used to verify the serving
+	// certificate of the upstream resolver(s).
+	//
+	// +optional
+	Transport DNSTransport `json:"transport,omitempty"`
+
+	// caBundle references a ConfigMap that must contain either a single
+	// CA Certificate or a CA Bundle (in the case of multiple upstreams signed
+	// by different CAs). This allows cluster administrators to provide their
+	// own CA or CA bundle for validating the certificate of upstream resolvers.
+	//
+	// 1. The configmap must contain a `cabundle.crt` key
+	// 2. The value must be a PEM encoded certificate or bundle.
+	// 3. The administrator must create this configmap in the openshift-config namespace.
+	//
+	// +optional
+	// +kubebuilder:validation:Optional
+	CABundle v1.ConfigMapNameReference `json:"caBundle,omitempty"`
+
+	// serverName is the upstream server to connect to for DNS resolution.
+	// This is required when Transport is set to "tls"
+	//
+	// +optional
+	// +kubebuilder:validation:Pattern=`^([a-zA-Z0-9\p{S}\p{L}]((-?[a-zA-Z0-9\p{S}\p{L}]{0,62})?)|([a-zA-Z0-9\p{S}\p{L}](([a-zA-Z0-9-\p{S}\p{L}]{0,61}[a-zA-Z0-9\p{S}\p{L}])?)(\.)){1,}([a-zA-Z0-9-\p{L}]){2,63})$`
+	ServerName string `json:"serverName,omitempty"`
 }
 
 // Upstream can either be of type SystemResolvConf, or of type Network.