feat: support conditional start of IPv6 dns servers

This PR does those things:
- Raise IPv6 listener on link-local address for dns (both TCP and UDP).
- Update kubelet's `resolv.conf` IPv4/IPv6 endpoints.

Closes #9384

Link: #9596
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>

Author: Dmitriy Matrenichev

api/resource/definitions/network/network.proto

@@ -259,6 +259,7 @@ message HostDNSConfigSpec {
   repeated common.NetIPPort listen_addresses = 2;
   common.NetIP service_host_dns_address = 3;
   bool resolve_member_names = 4;
+  common.NetIP service_host_dns_address_v6 = 5;
 }
 
 // HostnameSpecSpec describes node hostname.

internal/app/machined/pkg/controllers/network/address_spec_test.go

@@ -23,6 +23,7 @@ import (
 
 	"github.com/siderolabs/talos/internal/app/machined/pkg/controllers/ctest"
 	netctrl "github.com/siderolabs/talos/internal/app/machined/pkg/controllers/network"
+	"github.com/siderolabs/talos/pkg/machinery/constants"
 	"github.com/siderolabs/talos/pkg/machinery/nethelpers"
 	"github.com/siderolabs/talos/pkg/machinery/resources/network"
 )
@@ -123,6 +124,40 @@ func (suite *AddressSpecSuite) TestLoopback() {
 	suite.Destroy(loopback)
 }
 
+func (suite *AddressSpecSuite) TestIPV6ULA() {
+	loopback := network.NewAddressSpec(network.NamespaceName, "lo/"+constants.HostDNSAddressV6+"/128")
+	*loopback.TypedSpec() = network.AddressSpecSpec{
+		Address:     netip.MustParsePrefix(constants.HostDNSAddressV6 + "/128"),
+		LinkName:    "lo",
+		Family:      nethelpers.FamilyInet6,
+		Scope:       nethelpers.ScopeGlobal,
+		ConfigLayer: network.ConfigDefault,
+		Flags:       nethelpers.AddressFlags(nethelpers.AddressPermanent),
+	}
+
+	for _, res := range []resource.Resource{loopback} {
+		suite.Create(res)
+	}
+
+	suite.Assert().EventuallyWithT(func(collect *assert.CollectT) {
+		assertLinkAddress(assert.New(collect), "lo", constants.HostDNSAddressV6+"/128")
+	}, 3*time.Second, 10*time.Millisecond)
+
+	// teardown the address
+	_, err := suite.State().Teardown(suite.Ctx(), loopback.Metadata())
+	suite.Require().NoError(err)
+
+	_, err = suite.State().WatchFor(suite.Ctx(), loopback.Metadata(), state.WithFinalizerEmpty())
+	suite.Require().NoError(err)
+
+	// torn down address should be removed immediately
+	suite.Assert().EventuallyWithT(func(collect *assert.CollectT) {
+		assertNoLinkAddress(assert.New(collect), "lo", constants.HostDNSAddressV6+"/128")
+	}, 3*time.Second, 10*time.Millisecond)
+
+	suite.Destroy(loopback)
+}
+
 func (suite *AddressSpecSuite) TestDummy() {
 	dummyInterface := suite.uniqueDummyInterface()
 

internal/app/machined/pkg/controllers/network/dns_resolve_cache.go

@@ -117,7 +117,7 @@ func (ctrl *DNSResolveCacheController) run(ctx context.Context, r controller.Run
 	}
 
 	pairs := allAddressPairs(cfg.TypedSpec().ListenAddresses)
-	forwardKubeDNSToHost := cfg.TypedSpec().ServiceHostDNSAddress.IsValid()
+	forwardKubeDNSToHost := cfg.TypedSpec().ServiceHostDNSAddress.IsValid() || cfg.TypedSpec().ServiceHostDNSAddressV6.IsValid()
 
 	for runCfg, runErr := range ctrl.manager.RunAll(pairs, forwardKubeDNSToHost) {
 		switch {

internal/app/machined/pkg/controllers/network/dns_resolve_cache_test.go

@@ -286,6 +286,7 @@ func getDynamicPort(t *testing.T) string {
 func makeAddrs(port string) []netip.AddrPort {
 	return []netip.AddrPort{
 		netip.MustParseAddrPort("127.0.0.53:" + port),
+		netip.MustParseAddrPort("[::1]:" + port),
 	}
 }
 

internal/app/machined/pkg/controllers/network/etcfile.go

@@ -165,7 +165,7 @@ func (ctrl *EtcFileController) Run(ctx context.Context, r controller.Runtime, lo
 
 		if resolverStatus != nil && hostDNSCfg != nil {
 			dnsServers := xslices.FilterInPlace(
-				[]netip.Addr{hostDNSCfg.TypedSpec().ServiceHostDNSAddress},
+				[]netip.Addr{hostDNSCfg.TypedSpec().ServiceHostDNSAddress, hostDNSCfg.TypedSpec().ServiceHostDNSAddressV6},
 				netip.Addr.IsValid,
 			)
 

internal/app/machined/pkg/controllers/network/etcfile_test.go

@@ -121,8 +121,10 @@ func (suite *EtcFileConfigSuite) ExtraSetup() {
 	suite.hostDNSConfig.TypedSpec().ListenAddresses = []netip.AddrPort{
 		netip.MustParseAddrPort("127.0.0.53:53"),
 		netip.MustParseAddrPort("169.254.116.108:53"),
+		netip.MustParseAddrPort("[fd54:616c:6f73::204f:5320:444e:531]:53"),
 	}
 	suite.hostDNSConfig.TypedSpec().ServiceHostDNSAddress = netip.MustParseAddr("169.254.116.108")
+	suite.hostDNSConfig.TypedSpec().ServiceHostDNSAddressV6 = netip.MustParseAddr("fd54:616c:6f73::204f:5320:444e:531")
 }
 
 type etcFileContents struct {
@@ -212,7 +214,7 @@ func (suite *EtcFileConfigSuite) TestComplete() {
 		etcFileContents{
 			hosts:            "127.0.0.1   localhost\n33.11.22.44 foo.example.com foo\n::1         localhost ip6-localhost ip6-loopback\nff02::1     ip6-allnodes\nff02::2     ip6-allrouters\n10.0.0.1    a b\n10.0.0.2    c d\n", //nolint:lll
 			resolvConf:       "nameserver 127.0.0.53\n\nsearch foo.example.com\n",
-			resolvGlobalConf: "nameserver 169.254.116.108\n\nsearch foo.example.com\n",
+			resolvGlobalConf: "nameserver 169.254.116.108\nnameserver fd54:616c:6f73:0:204f:5320:444e:531\n\nsearch foo.example.com\n",
 		},
 	)
 }
@@ -225,7 +227,7 @@ func (suite *EtcFileConfigSuite) TestExtraHostsNoHostname() {
 		etcFileContents{
 			hosts:            "127.0.0.1 localhost\n::1       localhost ip6-localhost ip6-loopback\nff02::1   ip6-allnodes\nff02::2   ip6-allrouters\n10.0.0.1  a b\n10.0.0.2  c d\n",
 			resolvConf:       "nameserver 127.0.0.53\n\nsearch foo.example.com\n",
-			resolvGlobalConf: "nameserver 169.254.116.108\n\nsearch foo.example.com\n",
+			resolvGlobalConf: "nameserver 169.254.116.108\nnameserver fd54:616c:6f73:0:204f:5320:444e:531\n\nsearch foo.example.com\n",
 		},
 	)
 }
@@ -238,7 +240,7 @@ func (suite *EtcFileConfigSuite) TestNoExtraHosts() {
 		etcFileContents{
 			hosts:            "127.0.0.1   localhost\n33.11.22.44 foo.example.com foo\n::1         localhost ip6-localhost ip6-loopback\nff02::1     ip6-allnodes\nff02::2     ip6-allrouters\n",
 			resolvConf:       "nameserver 127.0.0.53\n\nsearch foo.example.com\n",
-			resolvGlobalConf: "nameserver 169.254.116.108\n\nsearch foo.example.com\n",
+			resolvGlobalConf: "nameserver 169.254.116.108\nnameserver fd54:616c:6f73:0:204f:5320:444e:531\n\nsearch foo.example.com\n",
 		},
 	)
 }
@@ -261,7 +263,7 @@ func (suite *EtcFileConfigSuite) TestNoSearchDomainLegacy() {
 		etcFileContents{
 			hosts:            "127.0.0.1   localhost\n33.11.22.44 foo.example.com foo\n::1         localhost ip6-localhost ip6-loopback\nff02::1     ip6-allnodes\nff02::2     ip6-allrouters\n",
 			resolvConf:       "nameserver 127.0.0.53\n",
-			resolvGlobalConf: "nameserver 169.254.116.108\n",
+			resolvGlobalConf: "nameserver 169.254.116.108\nnameserver fd54:616c:6f73:0:204f:5320:444e:531\n",
 		},
 	)
 }
@@ -282,7 +284,7 @@ func (suite *EtcFileConfigSuite) TestNoSearchDomainNewStyle() {
 		etcFileContents{
 			hosts:            "127.0.0.1   localhost\n33.11.22.44 foo.example.com foo\n::1         localhost ip6-localhost ip6-loopback\nff02::1     ip6-allnodes\nff02::2     ip6-allrouters\n",
 			resolvConf:       "nameserver 127.0.0.53\n",
-			resolvGlobalConf: "nameserver 169.254.116.108\n",
+			resolvGlobalConf: "nameserver 169.254.116.108\nnameserver fd54:616c:6f73:0:204f:5320:444e:531\n",
 		},
 	)
 }
@@ -295,7 +297,7 @@ func (suite *EtcFileConfigSuite) TestNoDomainname() {
 		etcFileContents{
 			hosts:            "127.0.0.1   localhost\n33.11.22.44 foo\n::1         localhost ip6-localhost ip6-loopback\nff02::1     ip6-allnodes\nff02::2     ip6-allrouters\n",
 			resolvConf:       "nameserver 127.0.0.53\n",
-			resolvGlobalConf: "nameserver 169.254.116.108\n",
+			resolvGlobalConf: "nameserver 169.254.116.108\nnameserver fd54:616c:6f73:0:204f:5320:444e:531\n",
 		},
 	)
 }
@@ -306,7 +308,7 @@ func (suite *EtcFileConfigSuite) TestOnlyResolvers() {
 		etcFileContents{
 			hosts:            "127.0.0.1 localhost\n::1       localhost ip6-localhost ip6-loopback\nff02::1   ip6-allnodes\nff02::2   ip6-allrouters\n",
 			resolvConf:       "nameserver 127.0.0.53\n",
-			resolvGlobalConf: "nameserver 169.254.116.108\n",
+			resolvGlobalConf: "nameserver 169.254.116.108\nnameserver fd54:616c:6f73:0:204f:5320:444e:531\n",
 		},
 	)
 }

internal/app/machined/pkg/controllers/network/hostdns_config.go

@@ -94,6 +94,7 @@ func (ctrl *HostDNSConfigController) Run(ctx context.Context, r controller.Runti
 			}
 
 			res.TypedSpec().ServiceHostDNSAddress = netip.Addr{}
+			res.TypedSpec().ServiceHostDNSAddressV6 = netip.Addr{}
 
 			if hostDNSConfig == nil {
 				res.TypedSpec().Enabled = false
@@ -125,6 +126,17 @@ func (ctrl *HostDNSConfigController) Run(ctx context.Context, r controller.Runti
 				res.TypedSpec().ServiceHostDNSAddress = parsed
 			}
 
+			if slices.ContainsFunc(
+				podCIDRs,
+				func(cidr string) bool { return netip.MustParsePrefix(cidr).Addr().Is6() },
+			) {
+				parsed := netip.MustParseAddr(constants.HostDNSAddressV6)
+				newServiceAddrs = append(newServiceAddrs, parsed)
+
+				res.TypedSpec().ListenAddresses = append(res.TypedSpec().ListenAddresses, netip.AddrPortFrom(parsed, 53))
+				res.TypedSpec().ServiceHostDNSAddressV6 = parsed
+			}
+
 			return nil
 		}); err != nil {
 			return fmt.Errorf("error writing host dns config: %w", err)

internal/app/machined/pkg/controllers/network/hostdns_config_test.go

@@ -119,36 +119,48 @@ func (suite *HostDNSConfigSuite) TestLegacyConfigForwardKubeDNSIPv4() {
 	suite.Create(cfg)
 
 	hostDNSAddr := netip.MustParseAddr(constants.HostDNSAddress)
+	hostDNSAddrV6 := netip.MustParseAddr(constants.HostDNSAddressV6)
 
 	ctest.AssertResource(suite, network.HostDNSConfigID, func(r *network.HostDNSConfig, asrt *assert.Assertions) {
 		asrt.True(r.TypedSpec().Enabled)
 		asrt.Equal(
 			[]netip.AddrPort{
 				netip.MustParseAddrPort("127.0.0.53:53"),
 				netip.AddrPortFrom(hostDNSAddr, 53),
+				netip.AddrPortFrom(hostDNSAddrV6, 53),
 			},
 			r.TypedSpec().ListenAddresses,
 		)
 		asrt.Equal(hostDNSAddr, r.TypedSpec().ServiceHostDNSAddress)
+		asrt.Equal(hostDNSAddrV6, r.TypedSpec().ServiceHostDNSAddressV6)
 	})
 
-	addrPrefix := netip.PrefixFrom(hostDNSAddr, hostDNSAddr.BitLen())
-
-	ctest.AssertResource(
-		suite,
-		network.LayeredID(network.ConfigOperator, network.AddressID("lo", addrPrefix)),
-		func(r *network.AddressSpec, asrt *assert.Assertions) {
-			spec := r.TypedSpec()
-
-			asrt.Equal(addrPrefix, spec.Address)
-			asrt.Equal("lo", spec.LinkName)
-			asrt.Equal(nethelpers.FamilyInet4, spec.Family)
-			asrt.Equal(nethelpers.ScopeHost, spec.Scope)
-			asrt.Equal(nethelpers.AddressFlags(nethelpers.AddressPermanent), spec.Flags)
-			asrt.Equal(network.ConfigOperator, spec.ConfigLayer)
-		},
-		rtestutils.WithNamespace(network.ConfigNamespaceName),
-	)
+	for _, addrPrefix := range []netip.Prefix{
+		netip.PrefixFrom(hostDNSAddr, hostDNSAddr.BitLen()),
+		netip.PrefixFrom(hostDNSAddrV6, hostDNSAddrV6.BitLen()),
+	} {
+		ctest.AssertResource(
+			suite,
+			network.LayeredID(network.ConfigOperator, network.AddressID("lo", addrPrefix)),
+			func(r *network.AddressSpec, asrt *assert.Assertions) {
+				spec := r.TypedSpec()
+
+				if addrPrefix.Addr().Is6() {
+					asrt.Equal(nethelpers.FamilyInet6, spec.Family)
+					asrt.Equal(nethelpers.ScopeGlobal, spec.Scope)
+				} else {
+					asrt.Equal(nethelpers.FamilyInet4, spec.Family)
+					asrt.Equal(nethelpers.ScopeHost, spec.Scope)
+				}
+
+				asrt.Equal(addrPrefix, spec.Address)
+				asrt.Equal("lo", spec.LinkName)
+				asrt.Equal(nethelpers.AddressFlags(nethelpers.AddressPermanent), spec.Flags)
+				asrt.Equal(network.ConfigOperator, spec.ConfigLayer)
+			},
+			rtestutils.WithNamespace(network.ConfigNamespaceName),
+		)
+	}
 }
 
 func (suite *HostDNSConfigSuite) TestLegacyConfigForwardKubeDNSIPv6Only() {
@@ -184,10 +196,14 @@ func (suite *HostDNSConfigSuite) TestLegacyConfigForwardKubeDNSIPv6Only() {
 	ctest.AssertResource(suite, network.HostDNSConfigID, func(r *network.HostDNSConfig, asrt *assert.Assertions) {
 		asrt.True(r.TypedSpec().Enabled)
 		asrt.Equal(
-			[]netip.AddrPort{netip.MustParseAddrPort("127.0.0.53:53")},
+			[]netip.AddrPort{
+				netip.MustParseAddrPort("127.0.0.53:53"),
+				netip.MustParseAddrPort("[" + constants.HostDNSAddressV6 + "]:53"),
+			},
 			r.TypedSpec().ListenAddresses,
 		)
 		asrt.Equal(netip.Addr{}, r.TypedSpec().ServiceHostDNSAddress)
+		asrt.Equal(netip.MustParseAddr(constants.HostDNSAddressV6), r.TypedSpec().ServiceHostDNSAddressV6)
 	})
 
 	ctest.AssertNoResource[*network.AddressSpec](

internal/app/machined/pkg/controllers/network/nftables_chain_config.go

@@ -18,6 +18,7 @@ import (
 	"github.com/siderolabs/gen/xslices"
 	"go.uber.org/zap"
 
+	cfg "github.com/siderolabs/talos/pkg/machinery/config/config"
 	"github.com/siderolabs/talos/pkg/machinery/constants"
 	"github.com/siderolabs/talos/pkg/machinery/nethelpers"
 	"github.com/siderolabs/talos/pkg/machinery/resources/config"
@@ -210,8 +211,6 @@ func (ctrl *NfTablesChainConfigController) buildIngressChain(cfg *config.Machine
 
 			if hostDNSConfig := cfg.Config().NetworkHostDNSConfig(); hostDNSConfig != nil {
 				if hostDNSConfig.ForwardKubeDNSToHost() {
-					hostDNSIP := netip.MustParseAddr(constants.HostDNSAddress)
-
 					// allow traffic to host DNS
 					for _, protocol := range []nethelpers.Protocol{nethelpers.ProtocolUDP, nethelpers.ProtocolTCP} {
 						spec.Rules = append(
@@ -227,7 +226,7 @@ func (ctrl *NfTablesChainConfigController) buildIngressChain(cfg *config.Machine
 									),
 								},
 								MatchDestinationAddress: &network.NfTablesAddressMatch{
-									IncludeSubnets: []netip.Prefix{netip.PrefixFrom(hostDNSIP, hostDNSIP.BitLen())},
+									IncludeSubnets: hostDNSSubnets(cfg.Config().Cluster().Network()),
 								},
 								MatchLayer4: &network.NfTablesLayer4Match{
 									Protocol: protocol,
@@ -433,3 +432,20 @@ func (ctrl *NfTablesChainConfigController) buildPreroutingChain(cfg *config.Mach
 		return nil
 	}
 }
+
+func hostDNSSubnets(clusterNetwork cfg.ClusterNetwork) []netip.Prefix {
+	result := []netip.Addr{hostDNSIPv4}
+
+	for _, podCIDR := range clusterNetwork.PodCIDRs() {
+		if netip.MustParsePrefix(podCIDR).Addr().Is6() {
+			result = append(result, hostDNSIPv6)
+		}
+	}
+
+	return xslices.Map(result, func(a netip.Addr) netip.Prefix { return netip.PrefixFrom(a, a.BitLen()) })
+}
+
+var (
+	hostDNSIPv4 = netip.MustParseAddr(constants.HostDNSAddress)
+	hostDNSIPv6 = netip.MustParseAddr(constants.HostDNSAddressV6)
+)

internal/pkg/dns/dns_test.go

@@ -82,7 +82,7 @@ func TestDNS(t *testing.T) {
 		},
 	}
 
-	for _, dnsAddr := range []string{"127.0.0.1:10700"} {
+	for _, dnsAddr := range []string{"127.0.0.1:10700", "[::1]:10700"} {
 		for _, test := range tests {
 			t.Run(dnsAddr+"/"+test.name, func(t *testing.T) {
 				stop := newManager(t, test.nameservers...)
@@ -123,6 +123,14 @@ func TestDNSEmptyDestinations(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, dnssrv.RcodeServerFailure, r.Rcode, r)
 
+	r, err = dnssrv.Exchange(createQuery("google.com"), "[::1]:10700")
+	require.NoError(t, err)
+	require.Equal(t, dnssrv.RcodeServerFailure, r.Rcode, r)
+
+	r, err = dnssrv.Exchange(createQuery("google.com"), "[::1]:10700")
+	require.NoError(t, err)
+	require.Equal(t, dnssrv.RcodeServerFailure, r.Rcode, r)
+
 	stop()
 }
 
@@ -142,6 +150,8 @@ func Test_ServeBackground(t *testing.T) {
 	for _, err := range m.RunAll(slices.Values([]dns.AddressPair{
 		{Network: "udp", Addr: netip.MustParseAddrPort("127.0.0.1:10700")},
 		{Network: "udp", Addr: netip.MustParseAddrPort("127.0.0.1:10701")},
+		{Network: "udp", Addr: netip.MustParseAddrPort("[::1]:10700")},
+		{Network: "udp", Addr: netip.MustParseAddrPort("[::1]:10701")},
 	}), false) {
 		require.NoError(t, err)
 	}
@@ -189,6 +199,9 @@ func newManager(t *testing.T, nameservers ...string) func() {
 		{Network: "udp", Addr: netip.MustParseAddrPort("127.0.0.1:10700")},
 		{Network: "udp", Addr: netip.MustParseAddrPort("127.0.0.1:10701")},
 		{Network: "tcp", Addr: netip.MustParseAddrPort("127.0.0.1:10700")},
+		{Network: "udp", Addr: netip.MustParseAddrPort("[::1]:10700")},
+		{Network: "tcp", Addr: netip.MustParseAddrPort("[::1]:10700")},
+		{Network: "udp", Addr: netip.MustParseAddrPort("[::1]:10700")},
 	}), false) {
 		if err != nil && strings.Contains(err.Error(), "failed to set TCP_FASTOPEN") {
 			continue
@@ -200,6 +213,8 @@ func newManager(t *testing.T, nameservers ...string) func() {
 	for _, err := range m.RunAll(slices.Values([]dns.AddressPair{
 		{Network: "udp", Addr: netip.MustParseAddrPort("127.0.0.1:10700")},
 		{Network: "tcp", Addr: netip.MustParseAddrPort("127.0.0.1:10700")},
+		{Network: "udp", Addr: netip.MustParseAddrPort("[::1]:10700")},
+		{Network: "tcp", Addr: netip.MustParseAddrPort("[::1]:10700")},
 	}), false) {
 		if err != nil && strings.Contains(err.Error(), "failed to set TCP_FASTOPEN") {
 			continue