feat: add dnsdist metrics

.gitignore

@@ -23,7 +23,7 @@ config/**/charts
 coverage.*
 *.coverprofile
 profile.cov
-
+test/e2e/kubeconfig-*
 # Dependency directories (remove the comment below to include it)
 # vendor/
 
@@ -35,5 +35,5 @@ go.work.sum
 .env
 
 # Editor/IDE
-# .idea/
+.idea/
 # .vscode/

Makefile

@@ -260,6 +260,9 @@ bootstrap-downstream: ## Create kind downstream and deploy agent with embedded P
 	CONTEXT=kind-$(DOWNSTREAM_CLUSTER_NAME) KUSTOMIZE_DIR=config/overlays/agent-powerdns $(MAKE) kustomize-apply
 	# Export external kubeconfig for downstream cluster (reachable from host/other containers)
 	CLUSTER=$(DOWNSTREAM_CLUSTER_NAME) OUT=dev/kind.downstream.kubeconfig $(MAKE) export-kind-kubeconfig-raw
+	# Install monitoring stack into downstream
+	CONTEXT=kind-$(DOWNSTREAM_CLUSTER_NAME) KUSTOMIZE_DIR=config/monitoring $(MAKE) kustomize-apply
+	CONTEXT=kind-$(DOWNSTREAM_CLUSTER_NAME) KUSTOMIZE_DIR=config/overlays/vector-metrics-gateway $(MAKE) kustomize-apply
 
 .PHONY: bootstrap-upstream
 bootstrap-upstream: ## Create kind upstream and deploy replicator pointing to downstream
@@ -474,7 +477,7 @@ set -e; \
 package=$(2)@$(3) ;\
 echo "Downloading $${package}" ;\
 rm -f $(1) ;\
-GOBIN=$(LOCALBIN) go install $${package} ;\
+CGO_ENABLED=0 GOOS=$$(go env GOOS) GOARCH=$$(go env GOARCH) GOBIN=$(LOCALBIN) go install $${package} ;\
 mv $(1) $(1)-$(3) ;\
 } ;\
 ln -sf $$(realpath $(1)-$(3)) $(1)

config/agent/dnscollector-config.yaml

@@ -0,0 +1,109 @@
+################################################
+# global configuration
+#  more details: https://github.com/dmachard/DNS-collector/blob/main/docs/configuration.md#global
+################################################
+global:
+  trace:
+    verbose: true
+    log-malformed: true
+    filename: ""
+    max-size: 10
+    max-backups: 10
+  server-identity: "dns-collector"
+  worker:
+    interval-monitor: 10
+    buffer-size: 8192
+  telemetry:
+    enabled: true
+    web-path: "/metrics"
+    web-listen: ":9165"
+    prometheus-prefix: "dnscollector_exporter"
+
+    # Optional TLS configuration
+    tls-support: false
+    tls-cert-file: ""
+    tls-key-file: ""
+    client-ca-file: ""
+
+    # Optional authentication
+    basic-auth-enable: false
+    basic-auth-login: admin
+    basic-auth-pwd: changeme
+
+################################################
+# Pipelining configuration
+#   more details: https://github.com/dmachard/DNS-collector/blob/main/docs/running_mode.md#pipelining
+#   workers: https://github.com/dmachard/DNS-collector/blob/main/docs/workers.md
+#   transformers: https://github.com/dmachard/DNS-collector/blob/main/docs/transformers.md
+################################################
+pipelines:
+  - name: tap
+    dnstap:
+      listen-ip: 0.0.0.0
+      listen-port: 6000
+    transforms:
+      normalize:
+        enable: true
+        qname-lowercase: true
+        rr-lowercase: true
+        qname-replace-nonprintable: true
+        add-tld: true
+        add-tld-plus-one: true
+        quiet-text: false
+      reordering:
+        enable: true
+        flush-interval: 30
+        max-buffer-size: 100
+      suspicious:
+        enable: true
+        threshold-qname-len: 100
+        threshold-packet-len: 1000
+        threshold-slow: 1.0
+        common-qtypes:
+          - A
+          - AAAA
+          - TXT
+          - CNAME
+          - PTR
+          - NAPTR
+          - DNSKEY
+          - SRV
+          - SOA
+          - NS
+          - MX
+          - DS
+          - HTTPS
+        unallowed-chars:
+          - '"'
+          - '=='
+          - '/'
+          - ':'
+        threshold-max-labels: 10
+        whitelist-domains:
+          - '\.ip6\.arpa'
+      latency:
+        enable: true
+        measure-latency: true
+        unanswered-queries: true
+        queries-timeout: 2
+    routing-policy:
+      forward: [ vector ]
+      dropped: [ ]
+
+  - name: vector
+    tcpclient:
+      transport: tcp
+      remote-address: 127.0.0.1
+      remote-port: 6001
+      connect-timeout: 5
+      retry-interval: 10
+      flush-interval: 30
+      tls-insecure: false
+      tls-min-version: 1.2
+      ca-file: ""
+      cert-file: ""
+      key-file: ""
+      mode: json
+      text-format: ""
+      buffer-size: 100
+      chan-buffer-size: 0

config/agent/dnsdist-config.yaml

@@ -0,0 +1,75 @@
+# TODO(cristhian): Make sure we block api access from outside the cluster.
+webserver:
+  listen_addresses: 
+   - "0.0.0.0:8083"
+  password: ""
+  api_key: ""
+  acl:
+    - 0.0.0.0/0
+  api_requires_authentication: false
+  stats_require_authentication: false
+  dashboard_requires_authentication: false
+
+acl:
+  - 0.0.0.0/0
+
+binds:
+  - listen_address: "0.0.0.0:53"
+    reuseport: true
+    protocol: Do53
+    threads: 2
+
+packet_caches:
+  - name: cache
+    size: 100
+
+pools:
+  - name: default
+    packet_cache: cache
+
+backends:
+  - address: "127.0.0.1:5300"
+    protocol: Do53
+    pools:
+      - default
+
+remote_logging:
+  dnstap_loggers:
+    - name: remote_logging
+      transport: tcp
+      address: "127.0.0.1:6000"
+      connection_count: 2
+
+query_rules:
+  - name: "log all queries"
+    selector:
+      type: All
+    action:
+      type: DnstapLog
+      identity: dnsdist
+      logger_name: remote_logging
+
+  - name: "default rule"
+    selector:
+      type: All
+    action:
+      type: Pool
+      pool_name: default
+
+response_rules:
+  - name: log all responses
+    selector:
+      type: All
+    action:
+      type: DnstapLog
+      identity: dnsdist
+      logger_name: remote_logging
+
+cache_hit_response_rules:
+  - name: log all responses from cache
+    selector:
+      type: All
+    action:
+      type: DnstapLog
+      identity: dnsdist_cache
+      logger_name: remote_logging

config/agent/kustomization.yaml

@@ -22,6 +22,15 @@ configMapGenerator:
   files:
     - pdns.conf
     - recursor.conf
+- name: dnsdist-config
+  files:
+    - dnsdist.yml=dnsdist-config.yaml
+- name: dnscollector-config
+  files:
+    - config.yaml=dnscollector-config.yaml
+- name: vector-config
+  files:
+    - vector-config.yaml
 
 images:
 - name: ghcr.io/datum-cloud/dns-operator

config/agent/manager.yaml

@@ -131,14 +131,15 @@ spec:
           mountPath: /config
         - name: pdns-shared
           mountPath: /run/pdns
+
       - name: pdns
         image: powerdns/pdns-auth-51:latest
         imagePullPolicy: IfNotPresent
         ports:
-          - containerPort: 53
+          - containerPort: 5300
             name: dns
             protocol: UDP
-          - containerPort: 53
+          - containerPort: 5300
             name: dns-tcp
             protocol: TCP
           - containerPort: 8082
@@ -157,7 +158,10 @@ spec:
           - |
             set -eu;
             exec pdns_server \
-              --api-key="$(cat /run/pdns/api-key)" --api=yes --webserver-port=8082
+              --local-port=5300 \
+              --api-key="$(cat /run/pdns/api-key)" \
+              --api=yes \
+              --webserver-port=8082
         securityContext:
           runAsUser: 953
           runAsGroup: 953
@@ -167,6 +171,7 @@ spec:
             drop:
             - "ALL"
             add: ["NET_BIND_SERVICE"]
+
       - name: pdns-recursor
         image: powerdns/pdns-recursor-51:latest
         imagePullPolicy: IfNotPresent
@@ -201,6 +206,7 @@ spec:
           - name: pdns-config
             mountPath: /etc/powerdns
             readOnly: true
+
       - name: lightningstream
         image: powerdns/lightningstream:main
         imagePullPolicy: IfNotPresent
@@ -258,7 +264,85 @@ spec:
             mountPath: /lmdb
           - name: lightningstream-config
             mountPath: /etc/lightningstream      
-
+
+      - name: dnsdist
+        image: powerdns/dnsdist-21:latest
+        args: ["--config", "/etc/dnsdist/dnsdist.yml"]
+        imagePullPolicy: IfNotPresent
+        ports:
+          - containerPort: 53
+            name: dnsdist-udp
+            protocol: UDP
+          - containerPort: 53
+            name: dnsdist-tcp
+            protocol: TCP
+          - containerPort: 8083
+            name: dnsdist-metrics
+            protocol: TCP
+        volumeMounts:
+          - name: pdns-shared
+            mountPath: /run/pdns
+          - name: dnsdist-config
+            mountPath: /etc/dnsdist
+            readOnly: true
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          capabilities:
+            drop:
+              - "ALL"
+            add: ["NET_BIND_SERVICE"]
+
+      - name: dnstap-collector
+        image: dmachard/dnscollector:latest
+        imagePullPolicy: IfNotPresent
+        args: ["-config", "/etc/dnscollector/config.yaml"]
+        ports:
+          - containerPort: 6000
+            name: dnstap
+            protocol: TCP
+          - containerPort: 9165
+            name: dnscol-metrics
+            protocol: TCP
+        volumeMounts:
+          - name: dnscollector-config
+            mountPath: /etc/dnscollector
+            readOnly: true
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          capabilities:
+            drop:
+              - "ALL"
+
+      - name: vector
+        image: timberio/vector:0.51.1-distroless-static
+        args:
+          - --log-format=json
+          - --verbose
+          - --watch-config
+          - --config-dir
+          - /etc/vector/
+        env:
+          - name: VECTOR_METRICS_GATEWAY_ADDRESS
+            value: vector-metrics-gateway:9000
+        volumeMounts:
+          - name: vector-config
+            mountPath: /etc/vector/vector-config.yaml
+            subPath: vector-config.yaml
+          - name: vector-config-volume
+            mountPath: /etc/vector
+        ports:
+          - containerPort: 9598
+            name: vector-metrics
+            protocol: TCP
+        resources:
+          requests:
+            cpu: 100m
+            memory: 256Mi
+          limits:
+            cpu: 500m
+            memory: 512Mi
       volumes:
       - name: server-config
         configMap:
@@ -271,5 +355,16 @@ spec:
       - name: pdns-config
         configMap:
           name: pdns-config
+      - name: dnsdist-config
+        configMap:
+          name: dnsdist-config
+      - name: dnscollector-config
+        configMap:
+          name: dnscollector-config
+      - name: vector-config
+        configMap:
+          name: vector-config
+      - name: vector-config-volume
+        emptyDir: {}
       serviceAccountName: controller-manager
       terminationGracePeriodSeconds: 10