Skip to content

Add DYNAMIC_DNS resolution type for wildcard hosts #3565

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Sep 23, 2025
Merged

Add DYNAMIC_DNS resolution type for wildcard hosts #3565

merged 9 commits into from
Sep 23, 2025
+111 −6

Conversation

jaellio
Copy link
Contributor

@jaellio jaellio commented Sep 15, 2025

@jaellio
Add new resolution type to support wildcard hosts
81b501b 
- Defines DELAYED_DNS

Signed-off-by: Jackie Elliott <[email protected]>
@jaellio
Use Dynamic DNS instead of delayed
006c115 
Signed-off-by: Jackie Elliott <[email protected]>
@istio-testing
Copy link
Collaborator

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@istio-testing istio-testing added the do-not-merge/work-in-progress Block merging of a PR because it isn't ready yet. label Sep 15, 2025
@istio-policy-bot
Copy link

😊 Welcome @jaellio! This is either your first contribution to the Istio api repo, or it's been
a while since you've been here.

You can learn more about the Istio working groups, Code of Conduct, and contribution guidelines
by referring to Contributing to Istio.

Thanks for contributing!

Courtesy of your friendly welcome wagon.

@istio-testing istio-testing added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Sep 15, 2025
keithmattix
keithmattix reviewed Sep 15, 2025
View reviewed changes
@jaellio jaellio marked this pull request as ready for review September 15, 2025 22:32
@jaellio jaellio requested a review from a team as a code owner September 15, 2025 22:32
@istio-testing istio-testing removed the do-not-merge/work-in-progress Block merging of a PR because it isn't ready yet. label Sep 15, 2025
@jaellio
Copy link
Contributor Author

jaellio commented Sep 16, 2025

Our current kubebuilder directive for wildcard hosts disallows setting any host to *. It does not check if a defined host contains a *. Is the intended behavior? Do we want to be more restrictive here?

https://github.com/istio/api/pull/3565/files#diff-9220e0fa673c4bf811c9e82e0095c18e1306374c66a2a39e51fabd456034c217R469

@jaellio
Add release note
c3e9abf 
Signed-off-by: Jackie Elliott <[email protected]>
jaellio
jaellio commented Sep 16, 2025
View reviewed changes
grnmeira
grnmeira reviewed Sep 16, 2025
View reviewed changes
grnmeira
grnmeira reviewed Sep 16, 2025
View reviewed changes
grnmeira
grnmeira reviewed Sep 16, 2025
View reviewed changes
@jaellio
Fix nits
34fb708 
Signed-off-by: Jackie Elliott <[email protected]>
ilrudie
ilrudie reviewed Sep 17, 2025
View reviewed changes
ilrudie
ilrudie reviewed Sep 17, 2025
View reviewed changes
keithmattix
keithmattix reviewed Sep 17, 2025
View reviewed changes
Copy link
Contributor

@keithmattix keithmattix left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM; will approve after:

  1. Ian's comments/suggestions are addressed
  2. We have clarity on if we're using webhook validation or kubebuilder validation how this field is going to be used (I recommend webhook validation if we want to support this mode in sidecars later)

@jaellio
Respond to comments
4b7cb6b 
Signed-off-by: Jackie Elliott <[email protected]>
ilrudie
ilrudie previously requested changes Sep 18, 2025
View reviewed changes
Copy link
Contributor

@ilrudie ilrudie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice improvement. Thanks for fixing my weird "front-end" wording.

Maybe I'm being pedantic here but I'd like to see clearer delineation between what occurs during DNS proxy in ztunnel vs what DYNAMIC_DNS is intended to do. The two complement each other but should not be conflated.

ilrudie
ilrudie reviewed Sep 22, 2025
View reviewed changes
Copy link
Contributor

@ilrudie ilrudie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems pretty correct now. One question about when this is permitted though. Depending on the answer it might not be that relevant but if we won't configure DYNAMIC_DNS without wildcard we probably should say that more strongly here.

networking/v1alpha3/service_entry.proto Outdated
Comment on lines 565 to 567
// the Host header or SNI to an IP address when handling traffic. This
// is particularly useful when multiple dns addresses can be represented
// by a single wildcard `host` entry without having to explicitly
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did we decide we only allow configuring this when using wildcards? The wording suggests it could be used elsewhere but I'm not sure if we strongly disallow that, or only don't recommend it.

Copy link
Contributor

@keithmattix keithmattix Sep 22, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Personally, I'm in favor of a more narrow application and then expand it as we test

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with being stricter in our official support. I believe in the POC I explicitly disallow non wildcard hosts with DYNAMIC_DNS resolution.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have this right now later in the comment

`DYNAMIC_DNS` is only supported for wildcard hosts

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My thinking is that "particularly useful" suggests there are other applications allowed, just we didn't think they would be so useful. We could change it to something like "This is required when using a wildcard host name..." which to my mind doesn't suggest other applications.

I may just be splitting hairs here though. It's likely clear enough and just my mistake reading sentences individually versus in full context.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed "Particularly useful"

@ilrudie ilrudie dismissed their stale review September 23, 2025 18:28

no longer applicable

@jaellio
Clarify intended use
3b2992d 
Signed-off-by: Jackie Elliott <[email protected]>
@istio-testing istio-testing merged commit 1d89957 into istio:master Sep 23, 2025
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ilrudie ilrudie ilrudie left review comments

@grnmeira grnmeira grnmeira left review comments

@keithmattix keithmattix keithmattix approved these changes

@kfaseela kfaseela kfaseela approved these changes

@howardjohn howardjohn Awaiting requested review from howardjohn

@ramaraochavali ramaraochavali Awaiting requested review from ramaraochavali

Assignees
No one assigned
Labels
size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@jaellio @istio-testing @istio-policy-bot @ilrudie @keithmattix @grnmeira @kfaseela