envoyproxy · mattklein123 · Sep 30, 2020 · Sep 11, 2020 · Sep 11, 2020 · Sep 12, 2020
diff --git a/api/envoy/api/v2/cluster.proto b/api/envoy/api/v2/cluster.proto
@@ -677,10 +677,16 @@ message Cluster {
   // :ref:`STRICT_DNS<envoy_api_enum_value_Cluster.DiscoveryType.STRICT_DNS>`
   // and :ref:`LOGICAL_DNS<envoy_api_enum_value_Cluster.DiscoveryType.LOGICAL_DNS>`
   // this setting is ignored.
+  // Setting this value causes failure if the
+  // ``envoy.restart_features.use_apple_api_for_dns_lookups`` runtime value is true during
+  // server startup. Apple's API only allows overriding DNS resolvers via system settings.
   repeated core.Address dns_resolvers = 18;
 
   // [#next-major-version: Reconcile DNS options in a single message.]
   // Always use TCP queries instead of UDP queries for DNS lookups.
+  // Setting this value causes failure if the
+  // ``envoy.restart_features.use_apple_api_for_dns_lookups`` runtime value is true during
+  // server startup. Apple' API only uses UDP for DNS resolution.
   bool use_tcp_for_dns_lookups = 45;
 
   // If specified, outlier detection will be enabled for this upstream cluster.

diff --git a/api/envoy/config/bootstrap/v2/bootstrap.proto b/api/envoy/config/bootstrap/v2/bootstrap.proto
@@ -169,6 +169,9 @@ message Bootstrap {
   // when :ref:`dns_resolvers <envoy_api_field_Cluster.dns_resolvers>` and
   // :ref:`use_tcp_for_dns_lookups <envoy_api_field_Cluster.use_tcp_for_dns_lookups>` are
   // specified.
+  // Setting this value causes failure if the
+  // ``envoy.restart_features.use_apple_api_for_dns_lookups`` runtime value is true during
+  // server startup. Apple' API only uses UDP for DNS resolution.
   bool use_tcp_for_dns_lookups = 20;
 }
 

diff --git a/api/envoy/config/bootstrap/v3/bootstrap.proto b/api/envoy/config/bootstrap/v3/bootstrap.proto
@@ -234,6 +234,9 @@ message Bootstrap {
   // when :ref:`dns_resolvers <envoy_api_field_config.cluster.v3.Cluster.dns_resolvers>` and
   // :ref:`use_tcp_for_dns_lookups <envoy_api_field_config.cluster.v3.Cluster.use_tcp_for_dns_lookups>` are
   // specified.
+  // Setting this value causes failure if the
+  // ``envoy.restart_features.use_apple_api_for_dns_lookups`` runtime value is true during
+  // server startup. Apple' API only uses UDP for DNS resolution.
   bool use_tcp_for_dns_lookups = 20;
 
   // Specifies optional bootstrap extensions to be instantiated at startup time.

diff --git a/api/envoy/config/bootstrap/v4alpha/bootstrap.proto b/api/envoy/config/bootstrap/v4alpha/bootstrap.proto
diff --git a/api/envoy/config/cluster/v3/cluster.proto b/api/envoy/config/cluster/v3/cluster.proto
@@ -829,10 +829,16 @@ message Cluster {
   // :ref:`STRICT_DNS<envoy_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.STRICT_DNS>`
   // and :ref:`LOGICAL_DNS<envoy_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.LOGICAL_DNS>`
   // this setting is ignored.
+  // Setting this value causes failure if the
+  // ``envoy.restart_features.use_apple_api_for_dns_lookups`` runtime value is true during
+  // server startup. Apple's API only allows overriding DNS resolvers via system settings.
   repeated core.v3.Address dns_resolvers = 18;
 
   // [#next-major-version: Reconcile DNS options in a single message.]
   // Always use TCP queries instead of UDP queries for DNS lookups.
+  // Setting this value causes failure if the
+  // ``envoy.restart_features.use_apple_api_for_dns_lookups`` runtime value is true during
+  // server startup. Apple' API only uses UDP for DNS resolution.
   bool use_tcp_for_dns_lookups = 45;
 
   // If specified, outlier detection will be enabled for this upstream cluster.

diff --git a/api/envoy/config/cluster/v4alpha/cluster.proto b/api/envoy/config/cluster/v4alpha/cluster.proto
diff --git a/api/envoy/extensions/common/dynamic_forward_proxy/v3/dns_cache.proto b/api/envoy/extensions/common/dynamic_forward_proxy/v3/dns_cache.proto
@@ -98,5 +98,8 @@ message DnsCacheConfig {
 
   // [#next-major-version: Reconcile DNS options in a single message.]
   // Always use TCP queries instead of UDP queries for DNS lookups.
+  // Setting this value causes failure if the
+  // ``envoy.restart_features.use_apple_api_for_dns_lookups`` runtime value is true during
+  // server startup. Apple' API only uses UDP for DNS resolution.
   bool use_tcp_for_dns_lookups = 8;
 }
diff --git a/ci/mac_ci_steps.sh b/ci/mac_ci_steps.sh
@@ -36,10 +36,13 @@ BAZEL_BUILD_OPTIONS=(
 if [[ $# -gt 0 ]]; then
   TEST_TARGETS=$*
 else
-  TEST_TARGETS=//test/integration/...
+  TEST_TARGETS='//test/integration/...'
 fi
 
 if [[ "$TEST_TARGETS" == "//test/..." || "$TEST_TARGETS" == "//test/integration/..." ]]; then
   bazel build "${BAZEL_BUILD_OPTIONS[@]}" //source/exe:envoy-static
 fi
-bazel test "${BAZEL_BUILD_OPTIONS[@]}" ${TEST_TARGETS}
+bazel test "${BAZEL_BUILD_OPTIONS[@]}" "${TEST_TARGETS}"
+
+# Additionally run macOS specific test suites
+bazel test "${BAZEL_BUILD_OPTIONS[@]}" //test/common/network:apple_dns_impl_test
diff --git a/ci/run_clang_tidy.sh b/ci/run_clang_tidy.sh
@@ -37,7 +37,7 @@ function exclude_win32_impl() {
 # Do not run clang-tidy against macOS impl
 # TODO: We should run clang-tidy against macOS impl for completeness
 function exclude_macos_impl() {
-  grep -v source/common/filesystem/kqueue/
+  grep -v source/common/filesystem/kqueue/ | grep -v source/common/network/apple_dns_impl | grep -v test/common/network/apple_dns_impl_test
 }
 
 # Do not run incremental clang-tidy on check_format testdata files.

diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst
@@ -6,6 +6,7 @@ Incompatible Behavior Changes
 *Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required*
 
 * build: added visibility rules for upstream. If these cause visibility related breakage, see notes in //BUILD.
+* dns: ``envoy.restart_features.use_apple_api_for_dns_lookups`` is on by default. This flag only affects Apple platforms (macOS, iOS). It is incompatible to have the runtime flag set to true at the same time as specifying the ``use_tcp_for_dns_lookups`` option or custom dns resolvers. Doing so will cause failure.
 * watchdog: added two guarddogs, breaking the aggregated stats for the single guarddog system. The aggregated stats for the guarddogs will have the following prefixes: `main_thread` and `workers`. Concretely, anything monitoring `server.watchdog_miss` and `server.watchdog_mega_miss` will need to be updated.
 
 Minor Behavior Changes
@@ -80,6 +81,7 @@ New Features
 * build: enable building envoy :ref:`arm64 images <arm_binaries>` by buildx tool in x86 CI platform.
 * cluster: added new :ref:`connection_pool_per_downstream_connection <envoy_v3_api_field_config.cluster.v3.Cluster.connection_pool_per_downstream_connection>` flag, which enable creation of a new connection pool for each downstream connection.
 * decompressor filter: reports compressed and uncompressed bytes in trailers.
+* dns: added support for doing DNS resolution using Apple's DnsService APIs in Apple platforms (macOS, iOS). This feature is ON by default, and is only configurable via the ``envoy.restart_features.use_apple_api_for_dns_lookups`` runtime key. Note that this value is latched during server startup and changing the runtime key is a no-op during the lifetime of the process.
 * dns_filter: added support for answering :ref:`service record<envoy_v3_api_msg_data.dns.v3.DnsTable.DnsService>` queries.
 * dynamic_forward_proxy: added :ref:`use_tcp_for_dns_lookups<envoy_v3_api_field_extensions.common.dynamic_forward_proxy.v3.DnsCacheConfig.use_tcp_for_dns_lookups>` option to use TCP for DNS lookups in order to match the DNS options for :ref:`Clusters<envoy_v3_api_msg_config.cluster.v3.Cluster>`.
 * ext_authz filter: added support for emitting dynamic metadata for both :ref:`HTTP <config_http_filters_ext_authz_dynamic_metadata>` and :ref:`network <config_network_filters_ext_authz_dynamic_metadata>` filters.

diff --git a/generated_api_shadow/envoy/api/v2/cluster.proto b/generated_api_shadow/envoy/api/v2/cluster.proto
diff --git a/generated_api_shadow/envoy/config/bootstrap/v2/bootstrap.proto b/generated_api_shadow/envoy/config/bootstrap/v2/bootstrap.proto
diff --git a/generated_api_shadow/envoy/config/bootstrap/v3/bootstrap.proto b/generated_api_shadow/envoy/config/bootstrap/v3/bootstrap.proto
diff --git a/generated_api_shadow/envoy/config/bootstrap/v4alpha/bootstrap.proto b/generated_api_shadow/envoy/config/bootstrap/v4alpha/bootstrap.proto
diff --git a/generated_api_shadow/envoy/config/cluster/v3/cluster.proto b/generated_api_shadow/envoy/config/cluster/v3/cluster.proto
diff --git a/generated_api_shadow/envoy/config/cluster/v4alpha/cluster.proto b/generated_api_shadow/envoy/config/cluster/v4alpha/cluster.proto
diff --git a/generated_api_shadow/envoy/extensions/common/dynamic_forward_proxy/v3/dns_cache.proto b/generated_api_shadow/envoy/extensions/common/dynamic_forward_proxy/v3/dns_cache.proto
diff --git a/source/common/event/BUILD b/source/common/event/BUILD
@@ -30,11 +30,14 @@ envoy_cc_library(
         "//source/common/common:assert_lib",
         "//source/common/common:thread_lib",
         "//source/common/filesystem:watcher_lib",
-        "//source/common/network:connection_lib",
         "//source/common/network:dns_lib",
+        "//source/common/network:connection_lib",
         "//source/common/network:listener_lib",
         "//source/common/runtime:runtime_features_lib",
-    ],
+    ] + select({
+        "//bazel:apple": ["//source/common/network:apple_dns_lib"],
+        "//conditions:default": [],
+    }),
 )
 
 envoy_cc_library(

diff --git a/source/common/event/dispatcher_impl.cc b/source/common/event/dispatcher_impl.cc
@@ -22,13 +22,18 @@
 #include "common/network/dns_impl.h"
 #include "common/network/tcp_listener_impl.h"
 #include "common/network/udp_listener_impl.h"
+#include "common/runtime/runtime_features.h"
 
 #include "event2/event.h"
 
 #ifdef ENVOY_HANDLE_SIGNALS
 #include "common/signal/signal_action.h"
 #endif
 
+#ifdef __APPLE__
+#include "common/network/apple_dns_impl.h"
+#endif
+
 namespace Envoy {
 namespace Event {
 
@@ -121,6 +126,23 @@ Network::DnsResolverSharedPtr DispatcherImpl::createDnsResolver(
     const std::vector<Network::Address::InstanceConstSharedPtr>& resolvers,
     const bool use_tcp_for_dns_lookups) {
   ASSERT(isThreadSafe());
+#ifdef __APPLE__
+  static bool use_apple_api_for_dns_lookups =
+      Runtime::runtimeFeatureEnabled("envoy.restart_features.use_apple_api_for_dns_lookups");
+  if (use_apple_api_for_dns_lookups) {
+    RELEASE_ASSERT(
 resolver_ = std::make_unique<DnsFilterResolver>(resolver_callback_, config->resolvers(), 
 resolver_ = std::make_unique<DnsFilterResolver>(resolver_callback_, config->resolvers(), 
+        resolvers.empty(),
+        "defining custom resolvers is not possible when using Apple APIs for DNS resolution. "
+        "Apple's API only allows overriding DNS resolvers via system settings. Delete resolvers "
+        "config or disable the envoy.restart_features.use_apple_api_for_dns_lookups runtime "
+        "feature.");
+    RELEASE_ASSERT(!use_tcp_for_dns_lookups,
+                   "using TCP for DNS lookups is not possible when using Apple APIs for DNS "
+                   "resolution. Apple' API only uses UDP for DNS resolution. Use UDP or disable "
+                   "the envoy.restart_features.use_apple_api_for_dns_lookups runtime feature.");
+    return Network::DnsResolverSharedPtr{new Network::AppleDnsResolverImpl(*this)};
+  }
+#endif
   return Network::DnsResolverSharedPtr{
       new Network::DnsResolverImpl(*this, resolvers, use_tcp_for_dns_lookups)};
 }

diff --git a/source/common/network/BUILD b/source/common/network/BUILD
@@ -91,6 +91,27 @@ envoy_cc_library(
     ],
 )
 
+envoy_cc_library(
+    name = "apple_dns_lib",
+    srcs = select({
+        "//bazel:apple": ["apple_dns_impl.cc"],
+        "//conditions:default": [],
+    }),
+    hdrs = select({
+        "//bazel:apple": ["apple_dns_impl.h"],
+        "//conditions:default": [],
+    }),
+    deps = [
+        ":address_lib",
+        ":utility_lib",
+        "//include/envoy/event:dispatcher_interface",
+        "//include/envoy/event:file_event_interface",
+        "//include/envoy/network:dns_interface",
+        "//source/common/common:assert_lib",
+        "//source/common/common:linked_object",
+    ],
+)
+
 envoy_cc_library(
     name = "dns_lib",
     srcs = ["dns_impl.cc"],