NE-2411: Add template field to DNS operator

Author: grzpiotrowski

features.md

@@ -9,6 +9,7 @@
 | ClusterAPIComputeInstall| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | |  |
 | ClusterAPIControlPlaneInstall| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | |  |
 | ClusterUpdatePreflight| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | |  |
+| DNSTemplatePlugin| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | |  |
 | Example2| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | |  |
 | ExternalOIDCExternalClaimsSourcing| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | |  |
 | ExternalSnapshotMetadata| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | |  |

features/features.go

@@ -257,6 +257,14 @@ var (
 					enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 					mustRegister()
 
+	FeatureGateDNSTemplatePlugin = newFeatureGate("DNSTemplatePlugin").
+					reportProblemsToJiraComponent("dns").
+					contactPerson("grzpiotrowski").
+					productScope(ocpSpecific).
+					enhancementPR("https://github.com/openshift/enhancements/pull/1936").
+					enable(inDevPreviewNoUpgrade()).
+					mustRegister()
+
 	FeatureGateImageModeStatusReporting = newFeatureGate("ImageModeStatusReporting").
 						reportProblemsToJiraComponent("MachineConfigOperator").
 						contactPerson("ijanssen").

openapi/generated_openapi/zz_generated.openapi.go

@@ -116,6 +116,18 @@ type DNSSpec struct {
 	// 30 seconds or as noted in the respective Corefile for your version of OpenShift.
 	// +optional
 	Cache DNSCache `json:"cache,omitempty"`
+
+	// template is an optional configuration for custom DNS query handling via the CoreDNS template plugin.
+	// The template defines how to handle queries matching specific zones and query types.
+	//
+	// The template applies to all domains (custom domains from spec.servers and the cluster domain)
+	// to ensure consistent DNS resolution across all paths.
+	//
+	// When this field is not set, no template plugin configuration is added to CoreDNS.
+	//
+	// +optional
+	// +openshift:enable:FeatureGate=DNSTemplatePlugin
+	Template *Template `json:"template,omitempty"`
 }
 
 // DNSCache defines the fields for configuring DNS caching.
@@ -467,6 +479,93 @@ const (
 	DNSAvailable = "Available"
 )
 
+// QueryType represents DNS query types supported by templates.
+// +kubebuilder:validation:Enum=AAAA
+type QueryType string
+
+const (
+	// QueryTypeAAAA represents IPv6 address records (AAAA).
+	QueryTypeAAAA QueryType = "AAAA"
+)
+
+// QueryClass represents DNS query classes supported by templates.
+// Valid value is "IN".
+// +kubebuilder:validation:Enum=IN
+type QueryClass string
+
+const (
+	// QueryClassIN represents the Internet class.
+	QueryClassIN QueryClass = "IN"
+)
+
+// ResponseCode represents DNS response codes.
+// +kubebuilder:validation:Enum=NOERROR
+type ResponseCode string
+
+const (
+	// ResponseCodeNOERROR indicates a successful DNS query with or without answer records.
+	ResponseCodeNOERROR ResponseCode = "NOERROR"
+)
+
+// Template defines a template for custom DNS query handling via the CoreDNS template plugin.
+// Template enables filtering or custom responses for DNS queries matching specific zones and query types.
+// +openshift:enable:FeatureGate=DNSTemplatePlugin
+type Template struct {
+	// zones specifies the DNS zones this template applies to.
+	// Each zone must be a valid DNS name as defined in RFC 1123.
+	// The special zone "." matches all domains (catch-all).
+	// Multiple zones can be specified to apply the same template actions to multiple domains.
+	//
+	// Note: root zone (".") includes cluster domain (cluster.local); use specific zones to avoid impacting IPv6 queries in IPv6 or dual-stack clusters.
+	//
+	// Examples:
+	// - ["."] matches all domains (catch-all for global AAAA filtering)
+	// - ["example.com"] matches only example.com and its subdomains
+	// - ["example.com", "test.com"] matches both domains and their subdomains
+	//
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:MinItems=1
+	// +required
+	Zones []string `json:"zones"`
+
+	// queryType specifies the DNS query type to match.
+	//
+	// +kubebuilder:validation:Required
+	// +kubebuilder:default=AAAA
+	// +required
+	QueryType QueryType `json:"queryType"`
+
+	// queryClass specifies the DNS query class to match.
+	//
+	// +kubebuilder:validation:Required
+	// +kubebuilder:default=IN
+	// +required
+	QueryClass QueryClass `json:"queryClass"`
+
+	// actions defines a list of actions to apply to matching queries.
+	//
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:MinItems=1
+	// +required
+	Actions []TemplateAction `json:"actions"`
+}
+
+// TemplateAction defines how to construct a DNS response for queries matching the template.
+type TemplateAction struct {
+	// rcode is the DNS response code to return.
+	// Valid values are "NOERROR".
+	//
+	// When set, the template returns a response with no answer records. For AAAA filtering,
+	// this means IPv6 address queries return successfully but with no IPv6 addresses,
+	// causing clients to fall back to IPv4 (A record) queries.
+	//
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Enum=NOERROR
+	// +kubebuilder:default=NOERROR
+	// +required
+	Rcode ResponseCode `json:"rcode"`
+}
+
 // DNSStatus defines the observed status of the DNS.
 type DNSStatus struct {
 	// clusterIP is the service IP through which this DNS is made available.