I'm probably the wrong person to review this PR but do we need to run this controller every second? Can't this be event based on the TTL of the entry?

no, each second the cleanup need to happens to clean the table.

But the entries don't have a TTL for every second

Multiple dns queries has multiple DNS TTL, so each second we need to clean the TTL that has expired after X seconds.

The challenge is knowing when to wake up to expire a specific IP and regenerate policy. We know the expiration time of each entry and setting a timer for the next one to expire is straight-forward Figuring out the expire time for the one after the next is annoying. We would need something like a priority queue (with O(logn) best case update). In theory, most updates will add a new time to the end of this queue (i.e. a new latest time). Still, we can have situations where new entries will expire somewhere in the middle.
Binning the entries into seconds seems like the lowest overhead, since we have as many map entries as we have IPs (or less). The lookup is also constant time for a specific second.

I doubt that we need 1 second accuracy for the TTL. Isn't it enough to expire every 15 seconds?

Let's return lastCleanup as well, this way it will be clear what the time range was for logging etc.

Since we now do the actual removal of cacheEntry objects here, we need to do a :

	for _, name := range expiredEntries {
		if entries, exists := c.forward[name]; exists {
			entries.removeExpired(expiredTime)
		}
	}

We also might want to sort and unique the names. If we do both, the loop above already does the uniqueing because of the exists check (if we add to a list only when exists == true).

mention that the expiration time is in seconds, and that it is expected that we will delete entries in CleanupExpiredEntries

This line needs to be in updateWithEntryIPs. This is because we're tracking by IP, but store the whole DNS lookup. The entry may not actually go into the cache if, for a particular IP, there is another lookup that expires later.
In the cases were, for an IP, we are replacing an existing entry, we might need to also replace the cleanup entry. This is because that IP won't actually expire at the original time anymore. It is a little harmless, though.

You were right: putting this here makes things a little complicated. We now need a controller for the Endpoint.DNSHistory caches(unless some of the changes below around replacing cleanup entries go in, then it might end up with a steady memory usage).

The challenge is knowing when to wake up to expire a specific IP and regenerate policy. We know the expiration time of each entry and setting a timer for the next one to expire is straight-forward Figuring out the expire time for the one after the next is annoying. We would need something like a priority queue (with O(logn) best case update). In theory, most updates will add a new time to the end of this queue (i.e. a new latest time). Still, we can have situations where new entries will expire somewhere in the middle.
Binning the entries into seconds seems like the lowest overhead, since we have as many map entries as we have IPs (or less). The lookup is also constant time for a specific second.

Oh, I meant the original lastCleanup at the start of this function, not the final one (which is going to be roughly expires).

I just realised that the append means we can avoid this if, if you prefer

I just realised that this isn't right. We already set the ExpirationTime in the entry and use that everywhere else. We should probably use it here too, so it is consistent. It will also apply the TTL correctly relative to the lookup time of the data, instead of time.Now() (which will be within the same second most of the time so it would mostly work this way).

This needs to be called when we call c.upsertReverse (just above) otherwise we introduce expirations that aren't actually happening in the cache.

I doubt that we need 1 second accuracy for the TTL. Isn't it enough to expire every 15 seconds?

This can be omitted

exported function KeepUniqueNames should have comment or be unexported

I have a slight preference for only using the slice instead of making a map. In any case, however we do it we should document the function and explain that the output slice is the same or different.

comment on exported function NewDNSCacheWithLimit should be of the form "NewDNSCacheWithLimit ..."

comment on exported var FQDNMaxIPperHost should be of the form "FQDNMaxIPperHost ..."

this is probably a debug... I'm not sure how relevant it is without the list of names deleted

Just a info message to be able to track this down in the future if any issue.

shrug. People keep complaining to me about log lines.
Anyway, can you make it a scopedLog with controller name or whatever we usually put into the controllers? that will make it easier to filter for it.

Also mention: The first update from an endpoint will clear the data in cfg.Cache for each of namesToClean. Looping this way is generally safe despite not locking; If a new lookup happens during these updates the new DNS data will be reinserted from the endpoint.DNSHistory cache that made the request.

defined by limit, no?

this now needs to use c.limit

perHostLimit will be more clear when using it later.

We should say sorted by expiration time. TTL might be ambiguous and mean the actual TTL seconds value.

names might be better as namesToUpdate or something,

the comment is a little unclear, maybe:
When names is non-nil only those names are updated from update, otherwise all DNS names in update are used.
When clean is true the data in c for each specific name is cleared before the update.

tofqdns-endpoint-max-ip-per-hostname might be a little more clear but it is longer.

shrug. People keep complaining to me about log lines.
Anyway, can you make it a scopedLog with controller name or whatever we usually put into the controllers? that will make it easier to filter for it.

I guess this isn't wholly true. "When namesToUpdate has non-zero length" might be more correct (since someone might pass in an empty list thinking it will be a no-op).

I wonder if it's better to convert the string slice to a map when len(namesToUpdate) != 0 instead. This way, the default case just uses update.forward without doing extra work. It probably won't matter too much in the end.

I realised that this is wrong. c.removeExpired should only work on entries in c, and not from update. The effect here would be that removeReverse inside removeExpired etc. wouldn't work correctly.
There's also another problem with the assumption I made yesterday. If the first endpoint.DNSHistory doesn't have name then we won't ever clean it. Another problem is that the time.Now() here leaves a bit of a race.
So, I think we are better off not having clean in this function, but call ForceExpire before we call this function in the controller. This should keep things relatively consistent (at the cost of a regex compile).

Not related with this PR, but could you add a comment like:
using newEntry from update violates encapsulation but these objects are immutable and so it should be harmless to do this (but still a bad idea).

Alternatively, we can copy newEntry (The type is shallow-copyable in general, unless we also play with IP slices, and if we do we deserve bugs).

Without knowing about the various instances of this type that we use, this is a little confusing. If you wanted to make sure it was clear, maybe add this comment where we instantiate fqdn.DefaultDNSCache?

Since we know the entry we are expiring, we can also remove it from cleanup. This way if someone forgets to run GC we won't leak memory.

We should explain how cleanup and overlimit are being used more completely here. The difference between them is a little unclear. It's possible something like expirationTimes is a better name but it is longer.
For cleanup:
cleanup maps the TTL expiration times (in seconds since the epoch) to DNS names that expire in that second. On every new insertion where the new data is actually inserted into the cache (i.e. it expires later than an existing entry) cleanup will be updated. CleanupExpiredEntries cleans up these entries on demand.
Note: Lookup functions will not return expired entries, and this is used to proactively enforce expirations.
Note: It is important to periodically call CleanupExpiredEntries otherwise this map will grow forever.
(this last note isn't needed if we remove entries from cleanup during removeExpired)

For overlimit:
overlimit is a set of DNS names that were over the per-host configured limit when they received an update. The excess IPs will be removed when cleanupOverLimitEntries is called, but will continue to be returned by Lookup until then.
Note: It is important to periodically call GC otherwise this map will grow forever (it is very bounded, however).
(this last note isn't needed if we remove entries from overLimit when we insert IPs).

with a write lock (I think we make the distinction elsewhere)

since we set every other field, perhaps we should also set perHostLimit. It is redundant but makes it clear that it was intended. shrug.