Remove duplicate rules sent to sdp for same endpt

Cilium agent was sending the dns rules for each ip of an endpoint.
This send duplicate data to the sdp in case an endpoint has ipv4/ipv6
ip address.

Signed-off-by: Vipul Singh <singhvipul@microsoft.com>

diff --git a/pkg/fqdn/service/service.go b/pkg/fqdn/service/service.go
index 628c5227741bbf414ceb9cbf748b4b04d54aa5a7..fb1c46169bdf25581bdee5184baa024a74c72576 100644 (file)
--- a/pkg/fqdn/service/service.go
+++ b/pkg/fqdn/service/service.go
@@ -334,6 +334,10 @@ func (s *FQDNDataServer) sendAndRecvAckForDNSPolicies(stream pb.FQDNData_StreamP
                        // Get the IPs associated with this identity
                        epIPs := identityIPMap[rule.Identity]
 
+                       // Track which endpoint IDs we've already added for this specific DNS policy
+                       // This prevents duplicates when multiple IPs(ipv4/ipv6) from the same identity point to the same endpoint
+                       addedEndpoints := make(map[uint32]bool)
+
                        // For each IP, find the corresponding endpoint and create DNS policy
                        for _, prefix := range epIPs {
                                ip := prefix.Addr()
@@ -344,9 +348,18 @@ func (s *FQDNDataServer) sendAndRecvAckForDNSPolicies(stream pb.FQDNData_StreamP
                                        continue
                                }
 
+                               endpointID := uint32(ep.GetID())
+
+                               // Skip if we've already added this endpoint for this DNS policy
+                               if addedEndpoints[endpointID] {
+                                       continue
+                               }
+                               // Mark this endpoint as added for this DNS policy
+                               addedEndpoints[endpointID] = true
+
                                // Create DNS policy with endpoint information
                                egressL7DnsPolicy = append(egressL7DnsPolicy, &pb.DNSPolicy{
-                                       SourceEndpointId: uint32(ep.GetID()),
+                                       SourceEndpointId: endpointID,
                                        DnsServers:       dnsPolicy.DnsServers,
                                        DnsPattern:       dnsPolicy.DnsPattern,
                                })

diff --git a/pkg/fqdn/service/service_test.go b/pkg/fqdn/service/service_test.go
index a70c3582112370125e376527594782bfdcc53103..43bf6f5e64b8c580c35e1b0c9ce13516ebe5b3a5 100644 (file)
--- a/pkg/fqdn/service/service_test.go
+++ b/pkg/fqdn/service/service_test.go
@@ -49,6 +49,7 @@ var (
        destIdentity     = identity.NumericIdentity(2)
        destEndpointId   = uint16(102)
        sourceIP         = "1.2.3.4/32"
+       sourceIPV6       = "2001:db8::1/128"
        destIP           = "5.6.7.8/32"
 )
 
@@ -319,11 +320,14 @@ func setupServer(t *testing.T, port int, enableL7Proxy bool, enableStandaloneDNS
 
 // addEndpointMapping adds source and destination endpoint to the server.
 func addEndpointMapping(t *testing.T, fqdnDataServer *FQDNDataServer) {
-       // Add the source endpoint mapping to the server
+       // Add the source endpoint mapping to the server with 2 IPs (IPv4 + IPv6)
        prefix := netip.MustParsePrefix(sourceIP)
        validCIDR := types.NewPrefixCluster(prefix, 0)
        dummyIdentity := ipcache.Identity{ID: sourceIdentity}
        fqdnDataServer.OnIPIdentityCacheChange(ipcache.Upsert, validCIDR, nil, nil, nil, dummyIdentity, 0, nil, 0)
+       prefix = netip.MustParsePrefix(sourceIPV6)
+       validCIDR = types.NewPrefixCluster(prefix, 0)
+       fqdnDataServer.OnIPIdentityCacheChange(ipcache.Upsert, validCIDR, nil, nil, nil, dummyIdentity, 0, nil, 0)
        // Add the destination endpoint mapping to the server
        prefix = netip.MustParsePrefix(destIP)
        validCIDR = types.NewPrefixCluster(prefix, 0)
@@ -392,6 +396,15 @@ func TestSuccessfullyStreamPolicyState(t *testing.T) {
                        })
                        // Increment the count for each response received
                        if len(receivedResultClient.GetEgressL7DnsPolicy()) > 0 {
+                               receivedRules := receivedResultClient.GetEgressL7DnsPolicy()
+                               sourceEndpointIDPolicyCount := 0
+                               for _, r := range receivedRules {
+                                       if r.GetSourceEndpointId() == uint32(sourceEndpointId) {
+                                               sourceEndpointIDPolicyCount++
+                                       }
+                               }
+                               // Ensure no duplicate policies for the same endpoint
+                               require.Equal(t, 1, sourceEndpointIDPolicyCount)
                                count++
                        }
                        connected = true