diff --git a/kubernetes/customresourcedefinitions.gen.yaml b/kubernetes/customresourcedefinitions.gen.yaml index dff94e1b3a..6e486a2711 100644 --- a/kubernetes/customresourcedefinitions.gen.yaml +++ b/kubernetes/customresourcedefinitions.gen.yaml @@ -7808,12 +7808,13 @@ spec: description: |- Service resolution mode for the hosts. - Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN + Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN, DYNAMIC_DNS enum: - NONE - STATIC - DNS - DNS_ROUND_ROBIN + - DYNAMIC_DNS type: string subjectAltNames: description: If specified, the proxy will verify that the server certificate's @@ -8106,12 +8107,13 @@ spec: description: |- Service resolution mode for the hosts. - Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN + Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN, DYNAMIC_DNS enum: - NONE - STATIC - DNS - DNS_ROUND_ROBIN + - DYNAMIC_DNS type: string subjectAltNames: description: If specified, the proxy will verify that the server certificate's @@ -8404,12 +8406,13 @@ spec: description: |- Service resolution mode for the hosts. - Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN + Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN, DYNAMIC_DNS enum: - NONE - STATIC - DNS - DNS_ROUND_ROBIN + - DYNAMIC_DNS type: string subjectAltNames: description: If specified, the proxy will verify that the server certificate's diff --git a/networking/v1/service_entry_alias.gen.go b/networking/v1/service_entry_alias.gen.go index 62bb7a0831..4f459d5336 100644 --- a/networking/v1/service_entry_alias.gen.go +++ b/networking/v1/service_entry_alias.gen.go @@ -100,6 +100,23 @@ const ServiceEntry_DNS ServiceEntry_Resolution = v1alpha3.ServiceEntry_DNS // cannot be used with Unix domain socket endpoints. const ServiceEntry_DNS_ROUND_ROBIN ServiceEntry_Resolution = v1alpha3.ServiceEntry_DNS_ROUND_ROBIN +// DYNAMIC_DNS will attempt to resolve the host name specified in +// the Host header or SNI to an IP address when handling traffic. This +// allows multiple DNS addresses to be represented by a single wildcard +// `host` entry without having to explicitly enumerate all possible +// endpoints. During DNS proxying, ztunnel will resolve all subdomains +// matching the wildcard host name to a VIP which isn't used for routing +// outside the mesh. `DYNAMIC_DNS` will provide configuration to a +// waypoint proxy to recover the original host name using information +// from SNI or a Host header in an HTTP Request. This original host name +// will then be resolved so that traffic can be routed to the intended +// IP address. This method of handling wildcard traffic is not +// compatible with raw TCP traffic where the original host cannot +// be recovered. `DYNAMIC_DNS` is only supported for wildcard hosts, +// `MESH_EXTERNAL` location and in ambient mode. The ServiceEntry must +// be bound to a waypoint. Specified endpoints will be ignored. +const ServiceEntry_DYNAMIC_DNS ServiceEntry_Resolution = v1alpha3.ServiceEntry_DYNAMIC_DNS + // ServicePort describes the properties of a specific port of a service. type ServicePort = v1alpha3.ServicePort type ServiceEntryStatus = v1alpha3.ServiceEntryStatus diff --git a/networking/v1alpha3/service_entry.pb.go b/networking/v1alpha3/service_entry.pb.go index 9232587492..5069fa1c72 100644 --- a/networking/v1alpha3/service_entry.pb.go +++ b/networking/v1alpha3/service_entry.pb.go @@ -517,6 +517,22 @@ const ( // specified in the hosts field, if wildcards are not used. DNS resolution // cannot be used with Unix domain socket endpoints. ServiceEntry_DNS_ROUND_ROBIN ServiceEntry_Resolution = 3 + // DYNAMIC_DNS will attempt to resolve the host name specified in + // the Host header or SNI to an IP address when handling traffic. This + // allows multiple DNS addresses to be represented by a single wildcard + // `host` entry without having to explicitly enumerate all possible + // endpoints. During DNS proxying, ztunnel will resolve all subdomains + // matching the wildcard host name to a VIP which isn't used for routing + // outside the mesh. `DYNAMIC_DNS` will provide configuration to a + // waypoint proxy to recover the original host name using information + // from SNI or a Host header in an HTTP Request. This original host name + // will then be resolved so that traffic can be routed to the intended + // IP address. This method of handling wildcard traffic is not + // compatible with raw TCP traffic where the original host cannot + // be recovered. `DYNAMIC_DNS` is only supported for wildcard hosts, + // `MESH_EXTERNAL` location and in ambient mode. The ServiceEntry must + // be bound to a waypoint. Specified endpoints will be ignored. + ServiceEntry_DYNAMIC_DNS ServiceEntry_Resolution = 4 ) // Enum value maps for ServiceEntry_Resolution. @@ -526,12 +542,14 @@ var ( 1: "STATIC", 2: "DNS", 3: "DNS_ROUND_ROBIN", + 4: "DYNAMIC_DNS", } ServiceEntry_Resolution_value = map[string]int32{ "NONE": 0, "STATIC": 1, "DNS": 2, "DNS_ROUND_ROBIN": 3, + "DYNAMIC_DNS": 4, } ) @@ -1018,7 +1036,7 @@ var File_networking_v1alpha3_service_entry_proto protoreflect.FileDescriptor const file_networking_v1alpha3_service_entry_proto_rawDesc = "" + "\n" + - "'networking/v1alpha3/service_entry.proto\x12\x19istio.networking.v1alpha3\x1a\x1fanalysis/v1alpha1/message.proto\x1a\x1fgoogle/api/field_behavior.proto\x1a\x1ameta/v1alpha1/status.proto\x1a!networking/v1alpha3/sidecar.proto\x1a(networking/v1alpha3/workload_entry.proto\"\x87\x05\n" + + "'networking/v1alpha3/service_entry.proto\x12\x19istio.networking.v1alpha3\x1a\x1fanalysis/v1alpha1/message.proto\x1a\x1fgoogle/api/field_behavior.proto\x1a\x1ameta/v1alpha1/status.proto\x1a!networking/v1alpha3/sidecar.proto\x1a(networking/v1alpha3/workload_entry.proto\"\x98\x05\n" + "\fServiceEntry\x12\x1a\n" + "\x05hosts\x18\x01 \x03(\tB\x04\xe2A\x01\x02R\x05hosts\x12\x1c\n" + "\taddresses\x18\x02 \x03(\tR\taddresses\x12<\n" + @@ -1033,14 +1051,15 @@ const file_networking_v1alpha3_service_entry_proto_rawDesc = "" + "\x11subject_alt_names\x18\b \x03(\tR\x0fsubjectAltNames\"0\n" + "\bLocation\x12\x11\n" + "\rMESH_EXTERNAL\x10\x00\x12\x11\n" + - "\rMESH_INTERNAL\x10\x01\"@\n" + + "\rMESH_INTERNAL\x10\x01\"Q\n" + "\n" + "Resolution\x12\b\n" + "\x04NONE\x10\x00\x12\n" + "\n" + "\x06STATIC\x10\x01\x12\a\n" + "\x03DNS\x10\x02\x12\x13\n" + - "\x0fDNS_ROUND_ROBIN\x10\x03\"\x82\x01\n" + + "\x0fDNS_ROUND_ROBIN\x10\x03\x12\x0f\n" + + "\vDYNAMIC_DNS\x10\x04\"\x82\x01\n" + "\vServicePort\x12\x1c\n" + "\x06number\x18\x01 \x01(\rB\x04\xe2A\x01\x02R\x06number\x12\x1a\n" + "\bprotocol\x18\x02 \x01(\tR\bprotocol\x12\x18\n" + diff --git a/networking/v1alpha3/service_entry.pb.html b/networking/v1alpha3/service_entry.pb.html index 7f818b9d16..dcd7b3b73c 100644 --- a/networking/v1alpha3/service_entry.pb.html +++ b/networking/v1alpha3/service_entry.pb.html @@ -607,6 +607,27 @@

Resolution

specified in the hosts field, if wildcards are not used. DNS resolution cannot be used with Unix domain socket endpoints.

+ + + +DYNAMIC_DNS + +

DYNAMIC_DNS will attempt to resolve the host name specified in +the Host header or SNI to an IP address when handling traffic. This +allows multiple DNS addresses to be represented by a single wildcard +host entry without having to explicitly enumerate all possible +endpoints. During DNS proxying, ztunnel will resolve all subdomains +matching the wildcard host name to a VIP which isn’t used for routing +outside the mesh. DYNAMIC_DNS will provide configuration to a +waypoint proxy to recover the original host name using information +from SNI or a Host header in an HTTP Request. This original host name +will then be resolved so that traffic can be routed to the intended +IP address. This method of handling wildcard traffic is not +compatible with raw TCP traffic where the original host cannot +be recovered. DYNAMIC_DNS is only supported for wildcard hosts, +MESH_EXTERNAL location and in ambient mode. The ServiceEntry must +be bound to a waypoint. Specified endpoints will be ignored.

+ diff --git a/networking/v1alpha3/service_entry.proto b/networking/v1alpha3/service_entry.proto index 967e2802b2..88df4203bd 100644 --- a/networking/v1alpha3/service_entry.proto +++ b/networking/v1alpha3/service_entry.proto @@ -560,6 +560,23 @@ message ServiceEntry { // specified in the hosts field, if wildcards are not used. DNS resolution // cannot be used with Unix domain socket endpoints. DNS_ROUND_ROBIN = 3; + + // DYNAMIC_DNS will attempt to resolve the host name specified in + // the Host header or SNI to an IP address when handling traffic. This + // allows multiple DNS addresses to be represented by a single wildcard + // `host` entry without having to explicitly enumerate all possible + // endpoints. During DNS proxying, ztunnel will resolve all subdomains + // matching the wildcard host name to a VIP which isn't used for routing + // outside the mesh. `DYNAMIC_DNS` will provide configuration to a + // waypoint proxy to recover the original host name using information + // from SNI or a Host header in an HTTP Request. This original host name + // will then be resolved so that traffic can be routed to the intended + // IP address. This method of handling wildcard traffic is not + // compatible with raw TCP traffic where the original host cannot + // be recovered. `DYNAMIC_DNS` is only supported for wildcard hosts, + // `MESH_EXTERNAL` location and in ambient mode. The ServiceEntry must + // be bound to a waypoint. Specified endpoints will be ignored. + DYNAMIC_DNS = 4; } // Service resolution mode for the hosts. Care must be taken diff --git a/networking/v1beta1/service_entry_alias.gen.go b/networking/v1beta1/service_entry_alias.gen.go index 5bc4910aa4..210b52c62c 100644 --- a/networking/v1beta1/service_entry_alias.gen.go +++ b/networking/v1beta1/service_entry_alias.gen.go @@ -100,6 +100,23 @@ const ServiceEntry_DNS ServiceEntry_Resolution = v1alpha3.ServiceEntry_DNS // cannot be used with Unix domain socket endpoints. const ServiceEntry_DNS_ROUND_ROBIN ServiceEntry_Resolution = v1alpha3.ServiceEntry_DNS_ROUND_ROBIN +// DYNAMIC_DNS will attempt to resolve the host name specified in +// the Host header or SNI to an IP address when handling traffic. This +// allows multiple DNS addresses to be represented by a single wildcard +// `host` entry without having to explicitly enumerate all possible +// endpoints. During DNS proxying, ztunnel will resolve all subdomains +// matching the wildcard host name to a VIP which isn't used for routing +// outside the mesh. `DYNAMIC_DNS` will provide configuration to a +// waypoint proxy to recover the original host name using information +// from SNI or a Host header in an HTTP Request. This original host name +// will then be resolved so that traffic can be routed to the intended +// IP address. This method of handling wildcard traffic is not +// compatible with raw TCP traffic where the original host cannot +// be recovered. `DYNAMIC_DNS` is only supported for wildcard hosts, +// `MESH_EXTERNAL` location and in ambient mode. The ServiceEntry must +// be bound to a waypoint. Specified endpoints will be ignored. +const ServiceEntry_DYNAMIC_DNS ServiceEntry_Resolution = v1alpha3.ServiceEntry_DYNAMIC_DNS + // ServicePort describes the properties of a specific port of a service. type ServicePort = v1alpha3.ServicePort type ServiceEntryStatus = v1alpha3.ServiceEntryStatus diff --git a/releasenotes/notes/dynamic-dns-resolution.yaml b/releasenotes/notes/dynamic-dns-resolution.yaml new file mode 100644 index 0000000000..c3c0139bfe --- /dev/null +++ b/releasenotes/notes/dynamic-dns-resolution.yaml @@ -0,0 +1,11 @@ +apiVersion: release-notes/v2 +kind: feature +area: traffic-management +issue: + - https://github.com/istio/istio/issues/54540 + +releaseNotes: + - | + **Added** a new `DYNAMIC_DNS` resolution option for `ServiceEntry` to enable + dynamic DNS resolution based on the request's Host header or SNI when the + ServiceEntry has a wildcard host.