feat: [sc-110727] troubleshoot: collector/analyzer for wildcard dns

[nvanthao]

Story details: https://app.shortcut.com/replicated/story/110727

Demo: https://asciinema.org/a/C9TJdETq9Hn21jefJaxSnWyga

Updates in existing DNS collector

• use dig instead of nslookup
• test DNS resolution for a non resolvable domain
• make DNS utility image configurable, default to registry.k8s.io/e2e-test-images/jessie-dnsutils:1.3
• add nonResolveable config for non-resolvable domain, defaulted to non-existent-domain

Current JSON output that can be used with others analyzer such as JSON analyzer

{
  "kubernetesClusterIP": "10.43.0.1",
  "podResolvConf": "search default.svc.cluster.local svc.cluster.local cluster.local\nnameserver 10.43.0.10\noptions ndots:5\n",
  "query": {
    "kubernetes": {
      "name": "kubernetes",
      "address": "10.43.0.1"
    },
    "nonResolvableDomain": {
      "name": "foo.bar.xyz",
      "address": ""
    }
  },
  "kubeDNSPods": [
    "coredns-77ccd57875-76dt4"
  ],
  "kubeDNSService": "10.43.0.10",
  "kubeDNSEndpoints": "10.42.0.6:53"
}

Sample YAML spec

apiVersion: troubleshoot.sh/v1beta2
kind: SupportBundle
metadata:
  name: support-bundle
spec:
  collectors:
    - clusterResources:
        exclude: true
    - dns:
        image: registry.k8s.io/e2e-test-images/jessie-dnsutils:1.3
        nonResolvable: foo.bar.xyz 
  analyzers:
    - jsonCompare:
        checkName: Check for wildcard DNS config
        fileName: dns/debug.json
        path: "query.nonResolvableDomain.address"
        value: |
          ""
        outcomes:
          - fail:
              when: "false"
              message: Possible wildcard DNS configured. Non-existent domain resolved to {{ .query.nonResolvableDomain.address }}.
          - pass:
              when: "true"
              message: Confirmed that non-existent domain not resolved.

[banjoh]

Is there a reason why you switched from nslookup to dig? People will need find an image that has dig installed which is an additional hurdle to jump. Images such as busybox and alpine package nslookup. Embedded Cluster uses busybox which, if not overridden, will be present in the airgap bundle

It might be slightly more code, but you can attempt dig and if the binary is not present, try nslookup. The collector will be more robust this way.

[nvanthao]

The nslookup command in busybox is not working correctly

E.g.

k run -it --rm debug --image busybox -- /bin/sh
If you don't see a command prompt, try pressing enter.
/ #
/ # nslookup kubernetes.default
Server:         10.43.0.10
Address:        10.43.0.10:53

** server can't find kubernetes.default: NXDOMAIN

I've changed to dig simply because of the base image has dig installed, we only want to resolve an address, and the dig +short is easier to parse.

[banjoh]

Could you please add this as a comment in the code for future context on the technical choice?

[nvanthao]

many thanks @banjoh! I'll update the docs accordingly as well.

[banjoh]

LGTM