From 49b18cd3f7861609521b34dbdf8e5b59c505a875 Mon Sep 17 00:00:00 2001
From: fentas <jan.guth@gmail.com>
Date: Sat, 21 Mar 2020 15:33:18 +0100
Subject: [PATCH] Add cilium option tofqdns-dns-reject-response-code

---
 k8s/crds/kops.k8s.io_clusters.yaml                           | 5 +++++
 pkg/apis/kops/networking.go                                  | 4 ++++
 pkg/apis/kops/v1alpha1/networking.go                         | 4 ++++
 pkg/apis/kops/v1alpha1/zz_generated.conversion.go            | 2 ++
 pkg/apis/kops/v1alpha2/networking.go                         | 4 ++++
 pkg/apis/kops/v1alpha2/zz_generated.conversion.go            | 2 ++
 .../addons/networking.cilium.io/k8s-1.12.yaml.template       | 3 +++
 7 files changed, 24 insertions(+)

diff --git a/k8s/crds/kops.k8s.io_clusters.yaml b/k8s/crds/kops.k8s.io_clusters.yaml
index c2a6e8b5e3..d0632c3d7a 100644
--- a/k8s/crds/kops.k8s.io_clusters.yaml
+++ b/k8s/crds/kops.k8s.io_clusters.yaml
@@ -2917,6 +2917,11 @@ spec:
                       description: StateDir is not implemented and may be removed
                         in the future. Setting this has no effect.
                       type: string
+                    toFqdnsDnsRejectResponseCode:
+                      description: 'ToFqdnsDNSRejectResponseCode sets the DNS response
+                        code for rejecting DNS requests. Possible values are "nameError"
+                        or "refused". Default: refused'
+                      type: string
                     toFqdnsEnablePoller:
                       description: 'ToFqdnsEnablePoller replaces the DNS proxy-based
                         implementation of FQDN policies with the less powerful legacy
diff --git a/pkg/apis/kops/networking.go b/pkg/apis/kops/networking.go
index 55634aa440..41a69656ff 100644
--- a/pkg/apis/kops/networking.go
+++ b/pkg/apis/kops/networking.go
@@ -376,6 +376,10 @@ type CiliumNetworkingSpec struct {
 	SidecarIstioProxyImage string `json:"sidecarIstioProxyImage"`
 	// ClusterName is the name of the cluster. It is only relevant when building a mesh of clusters.
 	ClusterName string `json:"clusterName"`
+	// ToFqdnsDNSRejectResponseCode sets the DNS response code for rejecting DNS requests.
+	// Possible values are "nameError" or "refused".
+	// Default: refused
+	ToFqdnsDNSRejectResponseCode string `json:"toFqdnsDnsRejectResponseCode,omitempty"`
 	// ToFqdnsEnablePoller replaces the DNS proxy-based implementation of FQDN policies
 	// with the less powerful legacy implementation.
 	// Default: false
diff --git a/pkg/apis/kops/v1alpha1/networking.go b/pkg/apis/kops/v1alpha1/networking.go
index 25177c89d8..f83a7d7f46 100644
--- a/pkg/apis/kops/v1alpha1/networking.go
+++ b/pkg/apis/kops/v1alpha1/networking.go
@@ -374,6 +374,10 @@ type CiliumNetworkingSpec struct {
 	SidecarIstioProxyImage string `json:"sidecarIstioProxyImage"`
 	// ClusterName is the name of the cluster. It is only relevant when building a mesh of clusters.
 	ClusterName string `json:"clusterName"`
+	// ToFqdnsDNSRejectResponseCode sets the DNS response code for rejecting DNS requests.
+	// Possible values are "nameError" or "refused".
+	// Default: refused
+	ToFqdnsDNSRejectResponseCode string `json:"toFqdnsDnsRejectResponseCode,omitempty"`
 	// ToFqdnsEnablePoller replaces the DNS proxy-based implementation of FQDN policies
 	// with the less powerful legacy implementation.
 	// Default: false
diff --git a/pkg/apis/kops/v1alpha1/zz_generated.conversion.go b/pkg/apis/kops/v1alpha1/zz_generated.conversion.go
index 7413ae7dda..1ce25da89e 100644
--- a/pkg/apis/kops/v1alpha1/zz_generated.conversion.go
+++ b/pkg/apis/kops/v1alpha1/zz_generated.conversion.go
@@ -1328,6 +1328,7 @@ func autoConvert_v1alpha1_CiliumNetworkingSpec_To_kops_CiliumNetworkingSpec(in *
 	out.PreallocateBPFMaps = in.PreallocateBPFMaps
 	out.SidecarIstioProxyImage = in.SidecarIstioProxyImage
 	out.ClusterName = in.ClusterName
+	out.ToFqdnsDNSRejectResponseCode = in.ToFqdnsDNSRejectResponseCode
 	out.ToFqdnsEnablePoller = in.ToFqdnsEnablePoller
 	out.ContainerRuntimeLabels = in.ContainerRuntimeLabels
 	out.Ipam = in.Ipam
@@ -1409,6 +1410,7 @@ func autoConvert_kops_CiliumNetworkingSpec_To_v1alpha1_CiliumNetworkingSpec(in *
 	out.PreallocateBPFMaps = in.PreallocateBPFMaps
 	out.SidecarIstioProxyImage = in.SidecarIstioProxyImage
 	out.ClusterName = in.ClusterName
+	out.ToFqdnsDNSRejectResponseCode = in.ToFqdnsDNSRejectResponseCode
 	out.ToFqdnsEnablePoller = in.ToFqdnsEnablePoller
 	out.ContainerRuntimeLabels = in.ContainerRuntimeLabels
 	out.Ipam = in.Ipam
diff --git a/pkg/apis/kops/v1alpha2/networking.go b/pkg/apis/kops/v1alpha2/networking.go
index e1dfb7e7c1..4dae5cb772 100644
--- a/pkg/apis/kops/v1alpha2/networking.go
+++ b/pkg/apis/kops/v1alpha2/networking.go
@@ -374,6 +374,10 @@ type CiliumNetworkingSpec struct {
 	SidecarIstioProxyImage string `json:"sidecarIstioProxyImage"`
 	// ClusterName is the name of the cluster. It is only relevant when building a mesh of clusters.
 	ClusterName string `json:"clusterName"`
+	// ToFqdnsDNSRejectResponseCode sets the DNS response code for rejecting DNS requests.
+	// Possible values are "nameError" or "refused".
+	// Default: refused
+	ToFqdnsDNSRejectResponseCode string `json:"toFqdnsDnsRejectResponseCode,omitempty"`
 	// ToFqdnsEnablePoller replaces the DNS proxy-based implementation of FQDN policies
 	// with the less powerful legacy implementation.
 	// Default: false
diff --git a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
index df32088792..5e87782c7d 100644
--- a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
+++ b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
@@ -1370,6 +1370,7 @@ func autoConvert_v1alpha2_CiliumNetworkingSpec_To_kops_CiliumNetworkingSpec(in *
 	out.PreallocateBPFMaps = in.PreallocateBPFMaps
 	out.SidecarIstioProxyImage = in.SidecarIstioProxyImage
 	out.ClusterName = in.ClusterName
+	out.ToFqdnsDNSRejectResponseCode = in.ToFqdnsDNSRejectResponseCode
 	out.ToFqdnsEnablePoller = in.ToFqdnsEnablePoller
 	out.ContainerRuntimeLabels = in.ContainerRuntimeLabels
 	out.Ipam = in.Ipam
@@ -1451,6 +1452,7 @@ func autoConvert_kops_CiliumNetworkingSpec_To_v1alpha2_CiliumNetworkingSpec(in *
 	out.PreallocateBPFMaps = in.PreallocateBPFMaps
 	out.SidecarIstioProxyImage = in.SidecarIstioProxyImage
 	out.ClusterName = in.ClusterName
+	out.ToFqdnsDNSRejectResponseCode = in.ToFqdnsDNSRejectResponseCode
 	out.ToFqdnsEnablePoller = in.ToFqdnsEnablePoller
 	out.ContainerRuntimeLabels = in.ContainerRuntimeLabels
 	out.Ipam = in.Ipam
diff --git a/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.12.yaml.template b/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.12.yaml.template
index 482fa287c4..8366ee8a22 100644
--- a/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.12.yaml.template
+++ b/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.12.yaml.template
@@ -98,6 +98,9 @@ data:
   # Name of the cluster. Only relevant when building a mesh of clusters.
   cluster-name: "{{- if eq .ClusterName "" -}}default{{- else -}}{{ .ClusterName}}{{- end -}}"
 
+  # DNS response code for rejecting DNS requests,
+  # available options are "nameError" and "refused"
+  tofqdns-dns-reject-response-code: "{{- if eq .ToFqdnsDNSRejectResponseCode  "" -}}refused{{- else -}}{{ .ToFqdnsDNSRejectResponseCode }}{{- end -}}"
   # This option is disabled by default starting from version 1.4.x in favor
   # of a more powerful DNS proxy-based implementation, see [0] for details.
   # Enable this option if you want to use FQDN policies but do not want to use