From b6c2f98adb2f35dd5065894e9e02c48230ed4cf0 Mon Sep 17 00:00:00 2001
From: Jakob Meng <code@jakobmeng.de>
Date: Thu, 26 Oct 2023 16:42:26 +0200
Subject: [PATCH] OCPBUGS-22453: Fixed systemd-resolved's split dns config in
 OKD/FCOS

OCP requires DNS records api.<cluster_domain> and *.apps.\
<cluster_domain> to be externally resolvable (<cluster_domain> is
<cluster_name>.<base_domain>). For SNO this list also includes DNS
record api-int.<cluster_domain>.

However, OCP does not enforce ownership of all subdomains of
<cluster_domain>. For example, it is allowed to host a disconnected
image registry at <registry_hostname>.<cluster_domain> and OCP shall
be able to resolve it using the user-supplied external DNS resolver.

PR #7516 changed the systemd-resolved config of the bootstrap node /
rendezvous host to associate the complete <cluster_domain> with the
DNS server at 127.0.0.1 where CoreDNS is supposed to be listening.

When a disconnected image registry is used for cluster installation,
the registry is hosted at <registry_hostname>.<cluster_domain> and
the bootstrap node / rendezvous host does not retrieve its domain
from the DHCP server, then the registry's DNS name cannot be
resolved.
That is because in order to pull the CoreDNS image, the disconnected
registry must be connected. The split dns mechanism of systemd-\
resolved would cause it to send DNS requests for
<registry_hostname>.<cluster_domain> to 127.0.0.1 where CoreDNS is
expected to be running which is not.

When a bootstrap node / rendezvous host retrieves its domain
<cluster_domain> from a DHCP server (e.g. dnsmasq's '--domain'
option) then systemd-resolved would associate <cluster_domain> not
only with 127.0.0.1 but also with the physical network interface,
causing DNS requests for <registry_hostname>.<cluster_domain> to be
send out to 127.0.0.1 as well as the external DNS resolver.

This patch mitigates the DNS issue for other network setups. It
changes the systemd-resolved config to forward DNS requests to
CoreDNS only for domains which are resolvable by CoreDNS:

* api.<cluster_domain>
* api-int.<cluster_domain>.
* apps.<cluster_domain>

DNS requests for <registry_hostname>.<cluster_domain> and other
subdomains of <cluster_domain> will be send out to the external
DNS resolver.

Fixes #7516

(cherry picked from commit 5380ad9152a595a9eee88a0213ffe7284f212b0d)
---
 .../dispatcher.d/30-local-dns-prepender.template               | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/data/data/bootstrap/baremetal/files/etc/NetworkManager/dispatcher.d/30-local-dns-prepender.template b/data/data/bootstrap/baremetal/files/etc/NetworkManager/dispatcher.d/30-local-dns-prepender.template
index 85c136fb087..192895335cf 100755
--- a/data/data/bootstrap/baremetal/files/etc/NetworkManager/dispatcher.d/30-local-dns-prepender.template
+++ b/data/data/bootstrap/baremetal/files/etc/NetworkManager/dispatcher.d/30-local-dns-prepender.template
@@ -25,7 +25,8 @@ EOF
             mkdir -p /etc/systemd/resolved.conf.d
             echo "[Resolve]" > /etc/systemd/resolved.conf.d/60-kni.conf
             echo "DNS=$DNS_IP" >> /etc/systemd/resolved.conf.d/60-kni.conf
-            echo "Domains={{.ClusterDomain}}" >> /etc/systemd/resolved.conf.d/60-kni.conf
+            echo "Domains=api.{{.ClusterDomain}} api-int.{{.ClusterDomain}} apps.{{.ClusterDomain}}" >> \
+                /etc/systemd/resolved.conf.d/60-kni.conf
             if systemctl -q is-active systemd-resolved; then
                 >&2 echo "NM resolv-prepender: restarting systemd-resolved"
                 systemctl restart systemd-resolved