feat: vpn uses WorkspaceHostnameSuffix for DNS names

spikecurtis · spikecurtis · commit 23bedfa92352 · 2025-04-10T13:12:38.000Z
diff --git a/codersdk/workspacesdk/workspacesdk.go b/codersdk/workspacesdk/workspacesdk.go
@@ -143,7 +143,7 @@ type AgentConnectionInfo struct {
 	DERPMap                  *tailcfg.DERPMap `json:"derp_map"`
 	DERPForceWebSockets      bool             `json:"derp_force_websockets"`
 	DisableDirectConnections bool             `json:"disable_direct_connections"`
-	HostnameSuffix           string           `json:"hostname_suffix"`
+	HostnameSuffix           string           `json:"hostname_suffix,omitempty"`
 }
 
 func (c *Client) AgentConnectionInfoGeneric(ctx context.Context) (AgentConnectionInfo, error) {
diff --git a/tailnet/controllers.go b/tailnet/controllers.go
@@ -863,11 +863,12 @@ func (r *basicResumeTokenRefresher) refresh() {
 }
 
 type TunnelAllWorkspaceUpdatesController struct {
-	coordCtrl     *TunnelSrcCoordController
-	dnsHostSetter DNSHostsSetter
-	updateHandler UpdatesHandler
-	ownerUsername string
-	logger        slog.Logger
+	coordCtrl      *TunnelSrcCoordController
+	dnsHostSetter  DNSHostsSetter
+	dnsNameOptions DNSNameOptions
+	updateHandler  UpdatesHandler
+	ownerUsername  string
+	logger         slog.Logger
 
 	mu      sync.Mutex
 	updater *tunnelUpdater
@@ -882,37 +883,39 @@ type Workspace struct {
 	agents        map[uuid.UUID]*Agent
 }
 
+type DNSNameOptions struct {
+	Suffix string
+}
+
 // updateDNSNames updates the DNS names for all agents in the workspace.
 // DNS hosts must be all lowercase, or the resolver won't be able to find them.
 // Usernames are globally unique & case-insensitive.
 // Workspace names are unique per-user & case-insensitive.
 // Agent names are unique per-workspace & case-insensitive.
-func (w *Workspace) updateDNSNames() error {
+func (w *Workspace) updateDNSNames(options DNSNameOptions) error {
 	wsName := strings.ToLower(w.Name)
 	username := strings.ToLower(w.ownerUsername)
 	for id, a := range w.agents {
 		agentName := strings.ToLower(a.Name)
 		names := make(map[dnsname.FQDN][]netip.Addr)
 		// TODO: technically, DNS labels cannot start with numbers, but the rules are often not
 		//       strictly enforced.
-		fqdn, err := dnsname.ToFQDN(fmt.Sprintf("%s.%s.me.coder.", agentName, wsName))
+		fqdn, err := dnsname.ToFQDN(fmt.Sprintf("%s.%s.me.%s.", agentName, wsName, options.Suffix))
 		if err != nil {
 			return err
 		}
 		names[fqdn] = []netip.Addr{CoderServicePrefix.AddrFromUUID(a.ID)}
-		fqdn, err = dnsname.ToFQDN(fmt.Sprintf("%s.%s.%s.coder.", agentName, wsName, username))
+		fqdn, err = dnsname.ToFQDN(fmt.Sprintf("%s.%s.%s.%s.", agentName, wsName, username, options.Suffix))
 		if err != nil {
 			return err
 		}
 		names[fqdn] = []netip.Addr{CoderServicePrefix.AddrFromUUID(a.ID)}
 		if len(w.agents) == 1 {
-			fqdn, err := dnsname.ToFQDN(fmt.Sprintf("%s.coder.", wsName))
+			fqdn, err = dnsname.ToFQDN(fmt.Sprintf("%s.%s.", wsName, options.Suffix))
 			if err != nil {
 				return err
 			}
-			for _, a := range w.agents {
-				names[fqdn] = []netip.Addr{CoderServicePrefix.AddrFromUUID(a.ID)}
-			}
+			names[fqdn] = []netip.Addr{CoderServicePrefix.AddrFromUUID(a.ID)}
 		}
 		a.Hosts = names
 		w.agents[id] = a
@@ -949,6 +952,7 @@ func (t *TunnelAllWorkspaceUpdatesController) New(client WorkspaceUpdatesClient)
 		logger:         t.logger,
 		coordCtrl:      t.coordCtrl,
 		dnsHostsSetter: t.dnsHostSetter,
+		dnsNameOptions: t.dnsNameOptions,
 		updateHandler:  t.updateHandler,
 		ownerUsername:  t.ownerUsername,
 		recvLoopDone:   make(chan struct{}),
@@ -995,6 +999,7 @@ type tunnelUpdater struct {
 	updateHandler  UpdatesHandler
 	ownerUsername  string
 	recvLoopDone   chan struct{}
+	dnsNameOptions DNSNameOptions
 
 	sync.Mutex
 	workspaces map[uuid.UUID]*Workspace
@@ -1249,7 +1254,7 @@ func (t *tunnelUpdater) allAgentIDsLocked() []uuid.UUID {
 func (t *tunnelUpdater) updateDNSNamesLocked() map[dnsname.FQDN][]netip.Addr {
 	names := make(map[dnsname.FQDN][]netip.Addr)
 	for _, w := range t.workspaces {
-		err := w.updateDNSNames()
+		err := w.updateDNSNames(t.dnsNameOptions)
 		if err != nil {
 			// This should never happen in production, because converting the FQDN only fails
 			// if names are too long, and we put strict length limits on agent, workspace, and user
@@ -1272,10 +1277,11 @@ type TunnelAllOption func(t *TunnelAllWorkspaceUpdatesController)
 
 // WithDNS configures the tunnelAllWorkspaceUpdatesController to set DNS names for all workspaces
 // and agents it learns about.
-func WithDNS(d DNSHostsSetter, ownerUsername string) TunnelAllOption {
+func WithDNS(d DNSHostsSetter, ownerUsername string, options DNSNameOptions) TunnelAllOption {
 	return func(t *TunnelAllWorkspaceUpdatesController) {
 		t.dnsHostSetter = d
 		t.ownerUsername = ownerUsername
+		t.dnsNameOptions = options
 	}
 }
 
@@ -1291,7 +1297,11 @@ func WithHandler(h UpdatesHandler) TunnelAllOption {
 func NewTunnelAllWorkspaceUpdatesController(
 	logger slog.Logger, c *TunnelSrcCoordController, opts ...TunnelAllOption,
 ) *TunnelAllWorkspaceUpdatesController {
-	t := &TunnelAllWorkspaceUpdatesController{logger: logger, coordCtrl: c}
+	t := &TunnelAllWorkspaceUpdatesController{
+		logger:         logger,
+		coordCtrl:      c,
+		dnsNameOptions: DNSNameOptions{"coder"},
+	}
 	for _, opt := range opts {
 		opt(t)
 	}
diff --git a/tailnet/controllers_test.go b/tailnet/controllers_test.go
@@ -1521,7 +1521,7 @@ func TestTunnelAllWorkspaceUpdatesController_Initial(t *testing.T) {
 	fUH := newFakeUpdateHandler(ctx, t)
 	fDNS := newFakeDNSSetter(ctx, t)
 	coordC, updateC, updateCtrl := setupConnectedAllWorkspaceUpdatesController(ctx, t, logger,
-		tailnet.WithDNS(fDNS, "testy"),
+		tailnet.WithDNS(fDNS, "testy", tailnet.DNSNameOptions{Suffix: "mctest"}),
 		tailnet.WithHandler(fUH),
 	)
 
@@ -1563,13 +1563,13 @@ func TestTunnelAllWorkspaceUpdatesController_Initial(t *testing.T) {
 
 	// Also triggers setting DNS hosts
 	expectedDNS := map[dnsname.FQDN][]netip.Addr{
-		"w1a1.w1.me.coder.":    {ws1a1IP},
-		"w2a1.w2.me.coder.":    {w2a1IP},
-		"w2a2.w2.me.coder.":    {w2a2IP},
-		"w1a1.w1.testy.coder.": {ws1a1IP},
-		"w2a1.w2.testy.coder.": {w2a1IP},
-		"w2a2.w2.testy.coder.": {w2a2IP},
-		"w1.coder.":            {ws1a1IP},
+		"w1a1.w1.me.mctest.":    {ws1a1IP},
+		"w2a1.w2.me.mctest.":    {w2a1IP},
+		"w2a2.w2.me.mctest.":    {w2a2IP},
+		"w1a1.w1.testy.mctest.": {ws1a1IP},
+		"w2a1.w2.testy.mctest.": {w2a1IP},
+		"w2a2.w2.testy.mctest.": {w2a2IP},
+		"w1.mctest.":            {ws1a1IP},
 	}
 	dnsCall := testutil.RequireRecvCtx(ctx, t, fDNS.calls)
 	require.Equal(t, expectedDNS, dnsCall.hosts)
@@ -1584,23 +1584,23 @@ func TestTunnelAllWorkspaceUpdatesController_Initial(t *testing.T) {
 			{
 				ID: w1a1ID, Name: "w1a1", WorkspaceID: w1ID,
 				Hosts: map[dnsname.FQDN][]netip.Addr{
-					"w1.coder.":            {ws1a1IP},
-					"w1a1.w1.me.coder.":    {ws1a1IP},
-					"w1a1.w1.testy.coder.": {ws1a1IP},
+					"w1.mctest.":            {ws1a1IP},
+					"w1a1.w1.me.mctest.":    {ws1a1IP},
+					"w1a1.w1.testy.mctest.": {ws1a1IP},
 				},
 			},
 			{
 				ID: w2a1ID, Name: "w2a1", WorkspaceID: w2ID,
 				Hosts: map[dnsname.FQDN][]netip.Addr{
-					"w2a1.w2.me.coder.":    {w2a1IP},
-					"w2a1.w2.testy.coder.": {w2a1IP},
+					"w2a1.w2.me.mctest.":    {w2a1IP},
+					"w2a1.w2.testy.mctest.": {w2a1IP},
 				},
 			},
 			{
 				ID: w2a2ID, Name: "w2a2", WorkspaceID: w2ID,
 				Hosts: map[dnsname.FQDN][]netip.Addr{
-					"w2a2.w2.me.coder.":    {w2a2IP},
-					"w2a2.w2.testy.coder.": {w2a2IP},
+					"w2a2.w2.me.mctest.":    {w2a2IP},
+					"w2a2.w2.testy.mctest.": {w2a2IP},
 				},
 			},
 		},
@@ -1632,7 +1632,7 @@ func TestTunnelAllWorkspaceUpdatesController_DeleteAgent(t *testing.T) {
 	fUH := newFakeUpdateHandler(ctx, t)
 	fDNS := newFakeDNSSetter(ctx, t)
 	coordC, updateC, updateCtrl := setupConnectedAllWorkspaceUpdatesController(ctx, t, logger,
-		tailnet.WithDNS(fDNS, "testy"),
+		tailnet.WithDNS(fDNS, "testy", tailnet.DNSNameOptions{Suffix: "coder"}),
 		tailnet.WithHandler(fUH),
 	)
 
@@ -1775,7 +1775,7 @@ func TestTunnelAllWorkspaceUpdatesController_DNSError(t *testing.T) {
 	fConn := &fakeCoordinatee{}
 	tsc := tailnet.NewTunnelSrcCoordController(logger, fConn)
 	uut := tailnet.NewTunnelAllWorkspaceUpdatesController(logger, tsc,
-		tailnet.WithDNS(fDNS, "testy"),
+		tailnet.WithDNS(fDNS, "testy", tailnet.DNSNameOptions{Suffix: "coder"}),
 	)
 
 	updateC := newFakeWorkspaceUpdateClient(ctx, t)
diff --git a/vpn/client.go b/vpn/client.go
@@ -107,6 +107,11 @@ func (*client) NewConn(initCtx context.Context, serverURL *url.URL, token string
 	if err != nil {
 		return nil, xerrors.Errorf("get connection info: %w", err)
 	}
+	// default to DNS suffix of "coder" if the server hasn't set it (might be too old).
+	dnsNameOptions := tailnet.DNSNameOptions{Suffix: "coder"}
+	if connInfo.HostnameSuffix != "" {
+		dnsNameOptions.Suffix = connInfo.HostnameSuffix
+	}
 
 	headers.Set(codersdk.SessionTokenHeader, token)
 	dialer := workspacesdk.NewWebsocketDialer(options.Logger, rpcURL, &websocket.DialOptions{
@@ -148,7 +153,7 @@ func (*client) NewConn(initCtx context.Context, serverURL *url.URL, token string
 	updatesCtrl := tailnet.NewTunnelAllWorkspaceUpdatesController(
 		options.Logger,
 		coordCtrl,
-		tailnet.WithDNS(conn, me.Username),
+		tailnet.WithDNS(conn, me.Username, dnsNameOptions),
 		tailnet.WithHandler(options.UpdateHandler),
 	)
 	controller.WorkspaceUpdatesCtrl = updatesCtrl
diff --git a/vpn/client_test.go b/vpn/client_test.go

Original file line number	Diff line number	Diff line change
`@@ -143,7 +143,7 @@ type AgentConnectionInfo struct {`
`143`	`143`	DERPMap *tailcfg.DERPMap `json:"derp_map"`
`144`	`144`	DERPForceWebSockets bool `json:"derp_force_websockets"`
`145`	`145`	DisableDirectConnections bool `json:"disable_direct_connections"`
`146`		- HostnameSuffix string `json:"hostname_suffix"`
	`146`	+ HostnameSuffix string `json:"hostname_suffix,omitempty"`
`147`	`147`	`}`
`148`	`148`
`149`	`149`	`func (c *Client) AgentConnectionInfoGeneric(ctx context.Context) (AgentConnectionInfo, error) {`