DNS is also a feature that can be enabled for extProc and extAuth

clusters, so treat it as such.

Signed-off-by: Lior Okman <lior.okman@sap.com>

api/v1alpha1/backendtrafficpolicy_types.go

@@ -75,11 +75,6 @@ type BackendTrafficPolicySpec struct {
 	// +optional
 	// +notImplementedHide
 	Compression []*Compression `json:"compression,omitempty"`
-
-	// DNS includes dns resolution settings.
-	//
-	// +optional
-	DNS *DNS `json:"dns,omitempty"`
 }
 
 // +kubebuilder:object:root=true
@@ -139,6 +134,11 @@ type ClusterSettings struct {
 	//
 	// +optional
 	Connection *BackendConnection `json:"connection,omitempty"`
+
+	// DNS includes dns resolution settings.
+	//
+	// +optional
+	DNS *DNS `json:"dns,omitempty"`
 }
 
 func init() {

charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml

@@ -126,6 +126,21 @@ spec:
                                 Note: that when the suffix is not provided, the value is interpreted as bytes.
                               x-kubernetes-int-or-string: true
                           type: object
+                        dns:
+                          description: DNS includes dns resolution settings.
+                          properties:
+                            dnsRefreshRate:
+                              description: |-
+                                DNSRefreshRate specifies the rate at which DNS records should be refreshed.
+                                Defaults to 30 seconds.
+                              type: string
+                            respectDnsTtl:
+                              description: |-
+                                RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected.
+                                If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL.
+                                Defaults to true.
+                              type: boolean
+                          type: object
                         healthCheck:
                           description: HealthCheck allows gateway to perform active
                             health checking on backends.

charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml

@@ -328,6 +328,21 @@ spec:
                                   Note: that when the suffix is not provided, the value is interpreted as bytes.
                                 x-kubernetes-int-or-string: true
                             type: object
+                          dns:
+                            description: DNS includes dns resolution settings.
+                            properties:
+                              dnsRefreshRate:
+                                description: |-
+                                  DNSRefreshRate specifies the rate at which DNS records should be refreshed.
+                                  Defaults to 30 seconds.
+                                type: string
+                              respectDnsTtl:
+                                description: |-
+                                  RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected.
+                                  If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL.
+                                  Defaults to true.
+                                type: boolean
+                            type: object
                           healthCheck:
                             description: HealthCheck allows gateway to perform active
                               health checking on backends.
@@ -1039,6 +1054,21 @@ spec:
                                   Note: that when the suffix is not provided, the value is interpreted as bytes.
                                 x-kubernetes-int-or-string: true
                             type: object
+                          dns:
+                            description: DNS includes dns resolution settings.
+                            properties:
+                              dnsRefreshRate:
+                                description: |-
+                                  DNSRefreshRate specifies the rate at which DNS records should be refreshed.
+                                  Defaults to 30 seconds.
+                                type: string
+                              respectDnsTtl:
+                                description: |-
+                                  RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected.
+                                  If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL.
+                                  Defaults to true.
+                                type: boolean
+                            type: object
                           healthCheck:
                             description: HealthCheck allows gateway to perform active
                               health checking on backends.

internal/gatewayapi/backendtrafficpolicy.go

@@ -334,9 +334,7 @@ func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.Backen
 		errs = errors.Join(errs, err)
 	}
 
-	if policy.Spec.DNS != nil {
-		ds = t.translateDNS(policy)
-	}
+	ds = translateDNS(policy.Spec.DNS)
 
 	// Early return if got any errors
 	if errs != nil {
@@ -389,9 +387,9 @@ func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.Backen
 						TCPKeepalive:      ka,
 						Retry:             rt,
 						BackendConnection: bc,
+						DNS:               ds,
 					}
 
-					r.DNS = ds
 					// Update the Host field in HealthCheck, now that we have access to the Route Hostname.
 					r.Traffic.HealthCheck.SetHTTPHostIfAbsent(r.Hostname)
 
@@ -458,9 +456,7 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.Back
 		errs = errors.Join(errs, err)
 	}
 
-	if policy.Spec.DNS != nil {
-		ds = t.translateDNS(policy)
-	}
+	ds = translateDNS(policy.Spec.DNS)
 
 	// Early return if got any errors
 	if errs != nil {
@@ -483,26 +479,15 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.Back
 		}
 
 		for _, r := range tcp.Routes {
-			// policy(targeting xRoute) has already set it, so we skip it.
-			if r.LoadBalancer != nil || r.ProxyProtocol != nil ||
-				r.HealthCheck != nil || r.CircuitBreaker != nil ||
-				r.TCPKeepalive != nil || r.Timeout != nil {
-				continue
-			}
-
-			r.LoadBalancer = lb
-			r.ProxyProtocol = pp
-			r.HealthCheck = hc
-			r.CircuitBreaker = cb
-			r.TCPKeepalive = ka
-
-			if r.Timeout == nil {
-				r.Timeout = ct
-			}
-
-			if r.DNS == nil {
-				r.DNS = ds
-			}
+			// only set attributes which weren't already set by a more
+			// specific policy
+			setIfNil(&r.LoadBalancer, lb)
+			setIfNil(&r.ProxyProtocol, pp)
+			setIfNil(&r.HealthCheck, hc)
+			setIfNil(&r.CircuitBreaker, cb)
+			setIfNil(&r.TCPKeepalive, ka)
+			setIfNil(&r.Timeout, ct)
+			setIfNil(&r.DNS, ds)
 		}
 	}
 
@@ -518,19 +503,11 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.Back
 
 		route := udp.Route
 
-		// policy(targeting xRoute) has already set it, so we skip it.
-		if route.LoadBalancer != nil || route.Timeout != nil {
-			continue
-		}
-
-		route.LoadBalancer = lb
-		if route.Timeout == nil {
-			route.Timeout = ct
-		}
-
-		if route.DNS == nil {
-			route.DNS = ds
-		}
+		// only set attributes which weren't already set by a more
+		// specific policy
+		setIfNil(&route.LoadBalancer, lb)
+		setIfNil(&route.Timeout, ct)
+		setIfNil(&route.DNS, ds)
 	}
 
 	for _, http := range x.HTTP {
@@ -557,10 +534,7 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.Back
 				FaultInjection: fi,
 				TCPKeepalive:   ka,
 				Retry:          rt,
-			}
-
-			if r.DNS == nil {
-				r.DNS = ds
+				DNS:            ds,
 			}
 
 			// Update the Host field in HealthCheck, now that we have access to the Route Hostname.
@@ -571,9 +545,7 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.Back
 			}
 
 			if policy.Spec.UseClientProtocol != nil {
-				if r.UseClientProtocol == nil {
-					r.UseClientProtocol = policy.Spec.UseClientProtocol
-				}
+				setIfNil(&r.UseClientProtocol, policy.Spec.UseClientProtocol)
 			}
 		}
 	}
@@ -766,17 +738,6 @@ func buildRateLimitRule(rule egv1a1.RateLimitRule) (*ir.RateLimitRule, error) {
 	return irRule, nil
 }
 
-func (t *Translator) translateDNS(policy *egv1a1.BackendTrafficPolicy) *ir.DNS {
-	ds := &ir.DNS{}
-	if policy.Spec.DNS.RespectDNSTTL != nil {
-		ds.RespectDNSTTL = policy.Spec.DNS.RespectDNSTTL
-	}
-	if policy.Spec.DNS.DNSRefreshRate != nil {
-		ds.DNSRefreshRate = policy.Spec.DNS.DNSRefreshRate
-	}
-	return ds
-}
-
 func ratelimitUnitToDuration(unit egv1a1.RateLimitUnit) int64 {
 	var seconds int64
 

internal/gatewayapi/clustersettings.go

@@ -480,3 +480,13 @@ func translateActiveHealthCheckPayload(p *egv1a1.ActiveHealthCheckPayload) *ir.H
 
 	return irPayload
 }
+
+func translateDNS(policy *egv1a1.DNS) *ir.DNS {
+	if policy == nil {
+		return nil
+	}
+	return &ir.DNS{
+		RespectDNSTTL:  policy.RespectDNSTTL,
+		DNSRefreshRate: policy.DNSRefreshRate,
+	}
+}

internal/gatewayapi/helpers.go

@@ -560,3 +560,10 @@ func getPolicyTargetRefs[T client.Object](policy egv1a1.PolicyTargetReferences,
 
 	return ret
 }
+
+// Sets *target to value if and only if *target is nil
+func setIfNil[T any](target **T, value *T) {
+	if *target == nil {
+		*target = value
+	}
+}

internal/gatewayapi/testdata/backendtrafficpolicy-with-dns-settings.out.yaml

@@ -342,9 +342,6 @@ xdsIR:
               port: 8080
             protocol: HTTP
             weight: 1
-        dns:
-          dnsRefreshRate: 10s
-          respectDnsTtl: true
         hostname: gateway.envoyproxy.io
         isHTTP2: false
         metadata:
@@ -356,7 +353,10 @@ xdsIR:
           distinct: false
           name: ""
           prefix: /v3
-        traffic: {}
+        traffic:
+          dns:
+            dnsRefreshRate: 10s
+            respectDnsTtl: true
   envoy-gateway/gateway-2:
     accessLog:
       text:
@@ -386,9 +386,6 @@ xdsIR:
               port: 8080
             protocol: HTTP
             weight: 1
-        dns:
-          dnsRefreshRate: 5s
-          respectDnsTtl: false
         hostname: gateway.envoyproxy.io
         isHTTP2: false
         metadata:
@@ -400,7 +397,10 @@ xdsIR:
           distinct: false
           name: ""
           prefix: /v2
-        traffic: {}
+        traffic:
+          dns:
+            dnsRefreshRate: 5s
+            respectDnsTtl: false
       - destination:
           name: httproute/default/httproute-1/rule/0
           settings:
@@ -410,9 +410,6 @@ xdsIR:
               port: 8080
             protocol: HTTP
             weight: 1
-        dns:
-          dnsRefreshRate: 1s
-          respectDnsTtl: true
         hostname: gateway.envoyproxy.io
         isHTTP2: false
         metadata:
@@ -424,4 +421,7 @@ xdsIR:
           distinct: false
           name: ""
           prefix: /
-        traffic: {}
+        traffic:
+          dns:
+            dnsRefreshRate: 1s
+            respectDnsTtl: true

internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.in.yaml

@@ -211,6 +211,8 @@ envoyExtensionPolicies:
         Kind: Backend
         Group: gateway.envoyproxy.io
       backendConfig:
+        dns:
+          respectDnsTtl: true
         loadBalancer:
           type: ConsistentHash
           consistentHash:

internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.out.yaml

@@ -113,6 +113,8 @@ envoyExtensionPolicies:
           maxConnections: 2048
         connection:
           bufferLimit: 20Mi
+        dns:
+          respectDnsTtl: true
         healthCheck:
           passive:
             consecutiveGatewayErrors: 4

internal/ir/xds.go

@@ -563,8 +563,6 @@ type HTTPRoute struct {
 	UseClientProtocol *bool `json:"useClientProtocol,omitempty" yaml:"useClientProtocol,omitempty"`
 	// Metadata is used to enrich envoy route metadata with user and provider-specific information
 	Metadata *ResourceMetadata `json:"metadata,omitempty" yaml:"metadata,omitempty"`
-	// DNS is used to configure how DNS resolution is handled for the route
-	DNS *DNS `json:"dns,omitempty" yaml:"dns,omitempty"`
 }
 
 // DNS contains configuration options for DNS resolution.
@@ -600,6 +598,8 @@ type TrafficFeatures struct {
 	Retry *Retry `json:"retry,omitempty" yaml:"retry,omitempty"`
 	// settings of upstream connection
 	BackendConnection *BackendConnection `json:"backendConnection,omitempty" yaml:"backendConnection,omitempty"`
+	// DNS is used to configure how DNS resolution is handled by the Envoy Proxy cluster
+	DNS *DNS `json:"dns,omitempty" yaml:"dns,omitempty"`
 }
 
 func (b *TrafficFeatures) Validate() error {
@@ -1512,7 +1512,8 @@ type UDPRoute struct {
 	Timeout *Timeout `json:"timeout,omitempty" yaml:"timeout,omitempty"`
 	// settings of upstream connection
 	BackendConnection *BackendConnection `json:"backendConnection,omitempty" yaml:"backendConnection,omitempty"`
-	DNS               *DNS               `json:"dns,omitempty" yaml:"dns,omitempty"`
+	// DNS is used to configure how DNS resolution is handled by the Envoy Proxy cluster
+	DNS *DNS `json:"dns,omitempty" yaml:"dns,omitempty"`
 }
 
 // Validate the fields within the UDPListener structure