From 81b501b7f5ac8cef32f3fc8c78fcdef113a76f69 Mon Sep 17 00:00:00 2001 From: Jackie Elliott Date: Fri, 12 Sep 2025 23:37:49 +0000 Subject: [PATCH 1/9] Add new resolution type to support wildcard hosts - Defines DELAYED_DNS Signed-off-by: Jackie Elliott --- kubernetes/customresourcedefinitions.gen.yaml | 27 ++++++++++--------- networking/v1/service_entry_alias.gen.go | 10 +++++++ networking/v1alpha3/service_entry.pb.go | 19 ++++++++++--- networking/v1alpha3/service_entry.pb.html | 13 +++++++++ networking/v1alpha3/service_entry.proto | 11 +++++++- networking/v1beta1/service_entry_alias.gen.go | 10 +++++++ 6 files changed, 73 insertions(+), 17 deletions(-) diff --git a/kubernetes/customresourcedefinitions.gen.yaml b/kubernetes/customresourcedefinitions.gen.yaml index dff94e1b3a..60ac19186c 100644 --- a/kubernetes/customresourcedefinitions.gen.yaml +++ b/kubernetes/customresourcedefinitions.gen.yaml @@ -7748,9 +7748,6 @@ spec: description: The hosts associated with the ServiceEntry. items: type: string - x-kubernetes-validations: - - message: hostname cannot be wildcard - rule: self != "*" maxItems: 256 minItems: 1 type: array @@ -7808,12 +7805,13 @@ spec: description: |- Service resolution mode for the hosts. - Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN + Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN, DELAYED_DNS enum: - NONE - STATIC - DNS - DNS_ROUND_ROBIN + - DELAYED_DNS type: string subjectAltNames: description: If specified, the proxy will verify that the server certificate's @@ -7854,6 +7852,9 @@ spec: - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints rule: '((has(self.resolution) ? self.resolution : "") == "DNS_ROUND_ROBIN") ? ((has(self.endpoints) ? self.endpoints : []).size() <= 1) : true' + - message: hostname cannot be wildcard + rule: '!(self.hosts == "*" && self.resolution in ["STATIC", "DNS", "DNS_ROUND_ROBIN", + "NONE"])' status: properties: conditions: @@ -8046,9 +8047,6 @@ spec: description: The hosts associated with the ServiceEntry. items: type: string - x-kubernetes-validations: - - message: hostname cannot be wildcard - rule: self != "*" maxItems: 256 minItems: 1 type: array @@ -8106,12 +8104,13 @@ spec: description: |- Service resolution mode for the hosts. - Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN + Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN, DELAYED_DNS enum: - NONE - STATIC - DNS - DNS_ROUND_ROBIN + - DELAYED_DNS type: string subjectAltNames: description: If specified, the proxy will verify that the server certificate's @@ -8152,6 +8151,9 @@ spec: - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints rule: '((has(self.resolution) ? self.resolution : "") == "DNS_ROUND_ROBIN") ? ((has(self.endpoints) ? self.endpoints : []).size() <= 1) : true' + - message: hostname cannot be wildcard + rule: '!(self.hosts == "*" && self.resolution in ["STATIC", "DNS", "DNS_ROUND_ROBIN", + "NONE"])' status: properties: conditions: @@ -8344,9 +8346,6 @@ spec: description: The hosts associated with the ServiceEntry. items: type: string - x-kubernetes-validations: - - message: hostname cannot be wildcard - rule: self != "*" maxItems: 256 minItems: 1 type: array @@ -8404,12 +8403,13 @@ spec: description: |- Service resolution mode for the hosts. - Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN + Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN, DELAYED_DNS enum: - NONE - STATIC - DNS - DNS_ROUND_ROBIN + - DELAYED_DNS type: string subjectAltNames: description: If specified, the proxy will verify that the server certificate's @@ -8450,6 +8450,9 @@ spec: - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints rule: '((has(self.resolution) ? self.resolution : "") == "DNS_ROUND_ROBIN") ? ((has(self.endpoints) ? self.endpoints : []).size() <= 1) : true' + - message: hostname cannot be wildcard + rule: '!(self.hosts == "*" && self.resolution in ["STATIC", "DNS", "DNS_ROUND_ROBIN", + "NONE"])' status: properties: conditions: diff --git a/networking/v1/service_entry_alias.gen.go b/networking/v1/service_entry_alias.gen.go index 62bb7a0831..9533d4890b 100644 --- a/networking/v1/service_entry_alias.gen.go +++ b/networking/v1/service_entry_alias.gen.go @@ -38,6 +38,7 @@ import "istio.io/api/networking/v1alpha3" // +kubebuilder:validation:XValidation:message="CIDR addresses are allowed only for NONE/STATIC resolution types",rule="!(default(self.addresses, []).exists(k, k.contains('/')) && !(default(self.resolution, 'NONE') in ['STATIC', 'NONE']))" // +kubebuilder:validation:XValidation:message="NONE mode cannot set endpoints",rule="default(self.resolution, 'NONE') == 'NONE' ? !has(self.endpoints) : true" // +kubebuilder:validation:XValidation:message="DNS_ROUND_ROBIN mode cannot have multiple endpoints",rule="default(self.resolution, ”) == 'DNS_ROUND_ROBIN' ? default(self.endpoints, []).size() <= 1 : true" +// +kubebuilder:validation:XValidation:message="hostname cannot be wildcard",rule="!(self.hosts == '*' && (self.resolution) in ['STATIC', 'DNS', 'DNS_ROUND_ROBIN', 'NONE'])" type ServiceEntry = v1alpha3.ServiceEntry // Location specifies whether the service is part of Istio mesh or @@ -100,6 +101,15 @@ const ServiceEntry_DNS ServiceEntry_Resolution = v1alpha3.ServiceEntry_DNS // cannot be used with Unix domain socket endpoints. const ServiceEntry_DNS_ROUND_ROBIN ServiceEntry_Resolution = v1alpha3.ServiceEntry_DNS_ROUND_ROBIN +// Similar to DNS, but delays request hostname resolution until runtime. +// Initial DNS resolution returns the allocated VIP for the matching wildcard +// hosts specified in the ServiceEntry. `DELAYED_DNS` must be used with +// wildcard hosts. Depending on the traffic type, the proxy will resolve +// the DNS address specified in the hosts header or SNI of the proxied +// request. Specified endpoints will be ignored. Only supported for +// `MESH_EXTERNAL` ServiceEntries. +const ServiceEntry_DELAYED_DNS ServiceEntry_Resolution = v1alpha3.ServiceEntry_DELAYED_DNS + // ServicePort describes the properties of a specific port of a service. type ServicePort = v1alpha3.ServicePort type ServiceEntryStatus = v1alpha3.ServiceEntryStatus diff --git a/networking/v1alpha3/service_entry.pb.go b/networking/v1alpha3/service_entry.pb.go index 9232587492..0685c18bf6 100644 --- a/networking/v1alpha3/service_entry.pb.go +++ b/networking/v1alpha3/service_entry.pb.go @@ -517,6 +517,14 @@ const ( // specified in the hosts field, if wildcards are not used. DNS resolution // cannot be used with Unix domain socket endpoints. ServiceEntry_DNS_ROUND_ROBIN ServiceEntry_Resolution = 3 + // Similar to DNS, but delays request hostname resolution until runtime. + // Initial DNS resolution returns the allocated VIP for the matching wildcard + // hosts specified in the ServiceEntry. `DELAYED_DNS` must be used with + // wildcard hosts. Depending on the traffic type, the proxy will resolve + // the DNS address specified in the hosts header or SNI of the proxied + // request. Specified endpoints will be ignored. Only supported for + // `MESH_EXTERNAL` ServiceEntries. + ServiceEntry_DELAYED_DNS ServiceEntry_Resolution = 4 ) // Enum value maps for ServiceEntry_Resolution. @@ -526,12 +534,14 @@ var ( 1: "STATIC", 2: "DNS", 3: "DNS_ROUND_ROBIN", + 4: "DELAYED_DNS", } ServiceEntry_Resolution_value = map[string]int32{ "NONE": 0, "STATIC": 1, "DNS": 2, "DNS_ROUND_ROBIN": 3, + "DELAYED_DNS": 4, } ) @@ -597,6 +607,7 @@ func (ServiceEntry_Resolution) EnumDescriptor() ([]byte, []int) { // +kubebuilder:validation:XValidation:message="CIDR addresses are allowed only for NONE/STATIC resolution types",rule="!(default(self.addresses, []).exists(k, k.contains('/')) && !(default(self.resolution, 'NONE') in ['STATIC', 'NONE']))" // +kubebuilder:validation:XValidation:message="NONE mode cannot set endpoints",rule="default(self.resolution, 'NONE') == 'NONE' ? !has(self.endpoints) : true" // +kubebuilder:validation:XValidation:message="DNS_ROUND_ROBIN mode cannot have multiple endpoints",rule="default(self.resolution, ”) == 'DNS_ROUND_ROBIN' ? default(self.endpoints, []).size() <= 1 : true" +// +kubebuilder:validation:XValidation:message="hostname cannot be wildcard",rule="!(self.hosts == '*' && (self.resolution) in ['STATIC', 'DNS', 'DNS_ROUND_ROBIN', 'NONE'])" type ServiceEntry struct { state protoimpl.MessageState `protogen:"open.v1"` // The hosts associated with the ServiceEntry. Could be a DNS @@ -625,7 +636,6 @@ type ServiceEntry struct { // // +kubebuilder:validation:MinItems=1 // +kubebuilder:validation:MaxItems=256 - // +protoc-gen-crd:list-value-validation:XValidation:message="hostname cannot be wildcard",rule="self != '*'" Hosts []string `protobuf:"bytes,1,rep,name=hosts,proto3" json:"hosts,omitempty"` // The virtual IP addresses associated with the service. Could be CIDR // prefix. For HTTP traffic, generated route configurations will include http route @@ -1018,7 +1028,7 @@ var File_networking_v1alpha3_service_entry_proto protoreflect.FileDescriptor const file_networking_v1alpha3_service_entry_proto_rawDesc = "" + "\n" + - "'networking/v1alpha3/service_entry.proto\x12\x19istio.networking.v1alpha3\x1a\x1fanalysis/v1alpha1/message.proto\x1a\x1fgoogle/api/field_behavior.proto\x1a\x1ameta/v1alpha1/status.proto\x1a!networking/v1alpha3/sidecar.proto\x1a(networking/v1alpha3/workload_entry.proto\"\x87\x05\n" + + "'networking/v1alpha3/service_entry.proto\x12\x19istio.networking.v1alpha3\x1a\x1fanalysis/v1alpha1/message.proto\x1a\x1fgoogle/api/field_behavior.proto\x1a\x1ameta/v1alpha1/status.proto\x1a!networking/v1alpha3/sidecar.proto\x1a(networking/v1alpha3/workload_entry.proto\"\x98\x05\n" + "\fServiceEntry\x12\x1a\n" + "\x05hosts\x18\x01 \x03(\tB\x04\xe2A\x01\x02R\x05hosts\x12\x1c\n" + "\taddresses\x18\x02 \x03(\tR\taddresses\x12<\n" + @@ -1033,14 +1043,15 @@ const file_networking_v1alpha3_service_entry_proto_rawDesc = "" + "\x11subject_alt_names\x18\b \x03(\tR\x0fsubjectAltNames\"0\n" + "\bLocation\x12\x11\n" + "\rMESH_EXTERNAL\x10\x00\x12\x11\n" + - "\rMESH_INTERNAL\x10\x01\"@\n" + + "\rMESH_INTERNAL\x10\x01\"Q\n" + "\n" + "Resolution\x12\b\n" + "\x04NONE\x10\x00\x12\n" + "\n" + "\x06STATIC\x10\x01\x12\a\n" + "\x03DNS\x10\x02\x12\x13\n" + - "\x0fDNS_ROUND_ROBIN\x10\x03\"\x82\x01\n" + + "\x0fDNS_ROUND_ROBIN\x10\x03\x12\x0f\n" + + "\vDELAYED_DNS\x10\x04\"\x82\x01\n" + "\vServicePort\x12\x1c\n" + "\x06number\x18\x01 \x01(\rB\x04\xe2A\x01\x02R\x06number\x12\x1a\n" + "\bprotocol\x18\x02 \x01(\tR\bprotocol\x12\x18\n" + diff --git a/networking/v1alpha3/service_entry.pb.html b/networking/v1alpha3/service_entry.pb.html index 7f818b9d16..4cb75e4389 100644 --- a/networking/v1alpha3/service_entry.pb.html +++ b/networking/v1alpha3/service_entry.pb.html @@ -607,6 +607,19 @@

Resolution

specified in the hosts field, if wildcards are not used. DNS resolution cannot be used with Unix domain socket endpoints.

+ + + +DELAYED_DNS + +

Similar to DNS, but delays request hostname resolution until runtime. +Initial DNS resolution returns the allocated VIP for the matching wildcard +hosts specified in the ServiceEntry. DELAYED_DNS must be used with +wildcard hosts. Depending on the traffic type, the proxy will resolve +the DNS address specified in the hosts header or SNI of the proxied +request. Specified endpoints will be ignored. Only supported for +MESH_EXTERNAL ServiceEntries.

+ diff --git a/networking/v1alpha3/service_entry.proto b/networking/v1alpha3/service_entry.proto index 967e2802b2..301609c0a8 100644 --- a/networking/v1alpha3/service_entry.proto +++ b/networking/v1alpha3/service_entry.proto @@ -440,6 +440,7 @@ option go_package = "istio.io/api/networking/v1alpha3"; // +kubebuilder:validation:XValidation:message="CIDR addresses are allowed only for NONE/STATIC resolution types",rule="!(default(self.addresses, []).exists(k, k.contains('/')) && !(default(self.resolution, 'NONE') in ['STATIC', 'NONE']))" // +kubebuilder:validation:XValidation:message="NONE mode cannot set endpoints",rule="default(self.resolution, 'NONE') == 'NONE' ? !has(self.endpoints) : true" // +kubebuilder:validation:XValidation:message="DNS_ROUND_ROBIN mode cannot have multiple endpoints",rule="default(self.resolution, '') == 'DNS_ROUND_ROBIN' ? default(self.endpoints, []).size() <= 1 : true" +// +kubebuilder:validation:XValidation:message="hostname cannot be wildcard",rule="!(self.hosts == '*' && (self.resolution) in ['STATIC', 'DNS', 'DNS_ROUND_ROBIN', 'NONE'])" message ServiceEntry { // The hosts associated with the ServiceEntry. Could be a DNS // name with wildcard prefix. @@ -466,7 +467,6 @@ message ServiceEntry { // SANs specified here will also be verified. // +kubebuilder:validation:MinItems=1 // +kubebuilder:validation:MaxItems=256 - // +protoc-gen-crd:list-value-validation:XValidation:message="hostname cannot be wildcard",rule="self != '*'" repeated string hosts = 1 [(google.api.field_behavior) = REQUIRED]; // The virtual IP addresses associated with the service. Could be CIDR @@ -560,6 +560,15 @@ message ServiceEntry { // specified in the hosts field, if wildcards are not used. DNS resolution // cannot be used with Unix domain socket endpoints. DNS_ROUND_ROBIN = 3; + + // Similar to DNS, but delays request hostname resolution until runtime. + // Initial DNS resolution returns the allocated VIP for the matching wildcard + // hosts specified in the ServiceEntry. `DELAYED_DNS` must be used with + // wildcard hosts. Depending on the traffic type, the proxy will resolve + // the DNS address specified in the hosts header or SNI of the proxied + // request. Specified endpoints will be ignored. Only supported for + // `MESH_EXTERNAL` ServiceEntries. + DELAYED_DNS = 4; } // Service resolution mode for the hosts. Care must be taken diff --git a/networking/v1beta1/service_entry_alias.gen.go b/networking/v1beta1/service_entry_alias.gen.go index 5bc4910aa4..49114113f2 100644 --- a/networking/v1beta1/service_entry_alias.gen.go +++ b/networking/v1beta1/service_entry_alias.gen.go @@ -38,6 +38,7 @@ import "istio.io/api/networking/v1alpha3" // +kubebuilder:validation:XValidation:message="CIDR addresses are allowed only for NONE/STATIC resolution types",rule="!(default(self.addresses, []).exists(k, k.contains('/')) && !(default(self.resolution, 'NONE') in ['STATIC', 'NONE']))" // +kubebuilder:validation:XValidation:message="NONE mode cannot set endpoints",rule="default(self.resolution, 'NONE') == 'NONE' ? !has(self.endpoints) : true" // +kubebuilder:validation:XValidation:message="DNS_ROUND_ROBIN mode cannot have multiple endpoints",rule="default(self.resolution, ”) == 'DNS_ROUND_ROBIN' ? default(self.endpoints, []).size() <= 1 : true" +// +kubebuilder:validation:XValidation:message="hostname cannot be wildcard",rule="!(self.hosts == '*' && (self.resolution) in ['STATIC', 'DNS', 'DNS_ROUND_ROBIN', 'NONE'])" type ServiceEntry = v1alpha3.ServiceEntry // Location specifies whether the service is part of Istio mesh or @@ -100,6 +101,15 @@ const ServiceEntry_DNS ServiceEntry_Resolution = v1alpha3.ServiceEntry_DNS // cannot be used with Unix domain socket endpoints. const ServiceEntry_DNS_ROUND_ROBIN ServiceEntry_Resolution = v1alpha3.ServiceEntry_DNS_ROUND_ROBIN +// Similar to DNS, but delays request hostname resolution until runtime. +// Initial DNS resolution returns the allocated VIP for the matching wildcard +// hosts specified in the ServiceEntry. `DELAYED_DNS` must be used with +// wildcard hosts. Depending on the traffic type, the proxy will resolve +// the DNS address specified in the hosts header or SNI of the proxied +// request. Specified endpoints will be ignored. Only supported for +// `MESH_EXTERNAL` ServiceEntries. +const ServiceEntry_DELAYED_DNS ServiceEntry_Resolution = v1alpha3.ServiceEntry_DELAYED_DNS + // ServicePort describes the properties of a specific port of a service. type ServicePort = v1alpha3.ServicePort type ServiceEntryStatus = v1alpha3.ServiceEntryStatus From 006c115984f163d93405a93acf9cc08aadf73267 Mon Sep 17 00:00:00 2001 From: Jackie Elliott Date: Mon, 15 Sep 2025 21:09:29 +0000 Subject: [PATCH 2/9] Use Dynamic DNS instead of delayed Signed-off-by: Jackie Elliott --- kubernetes/customresourcedefinitions.gen.yaml | 12 ++++++------ networking/v1/service_entry_alias.gen.go | 11 ++++++----- networking/v1alpha3/service_entry.pb.go | 17 +++++++++-------- networking/v1alpha3/service_entry.pb.html | 13 +++++++------ networking/v1alpha3/service_entry.proto | 11 ++++++----- networking/v1beta1/service_entry_alias.gen.go | 9 --------- 6 files changed, 34 insertions(+), 39 deletions(-) diff --git a/kubernetes/customresourcedefinitions.gen.yaml b/kubernetes/customresourcedefinitions.gen.yaml index 60ac19186c..31cd9ee904 100644 --- a/kubernetes/customresourcedefinitions.gen.yaml +++ b/kubernetes/customresourcedefinitions.gen.yaml @@ -7805,13 +7805,13 @@ spec: description: |- Service resolution mode for the hosts. - Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN, DELAYED_DNS + Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN, DYNAMIC_DNS enum: - NONE - STATIC - DNS - DNS_ROUND_ROBIN - - DELAYED_DNS + - DYNAMIC_DNS type: string subjectAltNames: description: If specified, the proxy will verify that the server certificate's @@ -8104,13 +8104,13 @@ spec: description: |- Service resolution mode for the hosts. - Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN, DELAYED_DNS + Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN, DYNAMIC_DNS enum: - NONE - STATIC - DNS - DNS_ROUND_ROBIN - - DELAYED_DNS + - DYNAMIC_DNS type: string subjectAltNames: description: If specified, the proxy will verify that the server certificate's @@ -8403,13 +8403,13 @@ spec: description: |- Service resolution mode for the hosts. - Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN, DELAYED_DNS + Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN, DYNAMIC_DNS enum: - NONE - STATIC - DNS - DNS_ROUND_ROBIN - - DELAYED_DNS + - DYNAMIC_DNS type: string subjectAltNames: description: If specified, the proxy will verify that the server certificate's diff --git a/networking/v1/service_entry_alias.gen.go b/networking/v1/service_entry_alias.gen.go index 9533d4890b..22f1c48890 100644 --- a/networking/v1/service_entry_alias.gen.go +++ b/networking/v1/service_entry_alias.gen.go @@ -101,14 +101,15 @@ const ServiceEntry_DNS ServiceEntry_Resolution = v1alpha3.ServiceEntry_DNS // cannot be used with Unix domain socket endpoints. const ServiceEntry_DNS_ROUND_ROBIN ServiceEntry_Resolution = v1alpha3.ServiceEntry_DNS_ROUND_ROBIN -// Similar to DNS, but delays request hostname resolution until runtime. -// Initial DNS resolution returns the allocated VIP for the matching wildcard -// hosts specified in the ServiceEntry. `DELAYED_DNS` must be used with +// Similar to DNS, by obtains the FQDN from the Host header or SNI to +// perform DNS resolution when the matching Host is a wildcard. Initial +// DNS resolution returns the allocated VIP for the matching wildcard +// hosts specified in the ServiceEntry. `DYNAMIC_DNS` must be used with // wildcard hosts. Depending on the traffic type, the proxy will resolve -// the DNS address specified in the hosts header or SNI of the proxied +// the DNS address specified in the Hosts header or SNI of the proxied // request. Specified endpoints will be ignored. Only supported for // `MESH_EXTERNAL` ServiceEntries. -const ServiceEntry_DELAYED_DNS ServiceEntry_Resolution = v1alpha3.ServiceEntry_DELAYED_DNS +const ServiceEntry_DYNAMIC_DNS ServiceEntry_Resolution = v1alpha3.ServiceEntry_DYNAMIC_DNS // ServicePort describes the properties of a specific port of a service. type ServicePort = v1alpha3.ServicePort diff --git a/networking/v1alpha3/service_entry.pb.go b/networking/v1alpha3/service_entry.pb.go index 0685c18bf6..1c7b9d2fd2 100644 --- a/networking/v1alpha3/service_entry.pb.go +++ b/networking/v1alpha3/service_entry.pb.go @@ -517,14 +517,15 @@ const ( // specified in the hosts field, if wildcards are not used. DNS resolution // cannot be used with Unix domain socket endpoints. ServiceEntry_DNS_ROUND_ROBIN ServiceEntry_Resolution = 3 - // Similar to DNS, but delays request hostname resolution until runtime. - // Initial DNS resolution returns the allocated VIP for the matching wildcard - // hosts specified in the ServiceEntry. `DELAYED_DNS` must be used with + // Similar to DNS, by obtains the FQDN from the Host header or SNI to + // perform DNS resolution when the matching Host is a wildcard. Initial + // DNS resolution returns the allocated VIP for the matching wildcard + // hosts specified in the ServiceEntry. `DYNAMIC_DNS` must be used with // wildcard hosts. Depending on the traffic type, the proxy will resolve - // the DNS address specified in the hosts header or SNI of the proxied + // the DNS address specified in the Hosts header or SNI of the proxied // request. Specified endpoints will be ignored. Only supported for // `MESH_EXTERNAL` ServiceEntries. - ServiceEntry_DELAYED_DNS ServiceEntry_Resolution = 4 + ServiceEntry_DYNAMIC_DNS ServiceEntry_Resolution = 4 ) // Enum value maps for ServiceEntry_Resolution. @@ -534,14 +535,14 @@ var ( 1: "STATIC", 2: "DNS", 3: "DNS_ROUND_ROBIN", - 4: "DELAYED_DNS", + 4: "DYNAMIC_DNS", } ServiceEntry_Resolution_value = map[string]int32{ "NONE": 0, "STATIC": 1, "DNS": 2, "DNS_ROUND_ROBIN": 3, - "DELAYED_DNS": 4, + "DYNAMIC_DNS": 4, } ) @@ -1051,7 +1052,7 @@ const file_networking_v1alpha3_service_entry_proto_rawDesc = "" + "\x06STATIC\x10\x01\x12\a\n" + "\x03DNS\x10\x02\x12\x13\n" + "\x0fDNS_ROUND_ROBIN\x10\x03\x12\x0f\n" + - "\vDELAYED_DNS\x10\x04\"\x82\x01\n" + + "\vDYNAMIC_DNS\x10\x04\"\x82\x01\n" + "\vServicePort\x12\x1c\n" + "\x06number\x18\x01 \x01(\rB\x04\xe2A\x01\x02R\x06number\x12\x1a\n" + "\bprotocol\x18\x02 \x01(\tR\bprotocol\x12\x18\n" + diff --git a/networking/v1alpha3/service_entry.pb.html b/networking/v1alpha3/service_entry.pb.html index 4cb75e4389..9031ccec03 100644 --- a/networking/v1alpha3/service_entry.pb.html +++ b/networking/v1alpha3/service_entry.pb.html @@ -609,14 +609,15 @@

Resolution

- -DELAYED_DNS + +DYNAMIC_DNS -

Similar to DNS, but delays request hostname resolution until runtime. -Initial DNS resolution returns the allocated VIP for the matching wildcard -hosts specified in the ServiceEntry. DELAYED_DNS must be used with +

Similar to DNS, by obtains the FQDN from the Host header or SNI to +perform DNS resolution when the matching Host is a wildcard. Initial +DNS resolution returns the allocated VIP for the matching wildcard +hosts specified in the ServiceEntry. DYNAMIC_DNS must be used with wildcard hosts. Depending on the traffic type, the proxy will resolve -the DNS address specified in the hosts header or SNI of the proxied +the DNS address specified in the Hosts header or SNI of the proxied request. Specified endpoints will be ignored. Only supported for MESH_EXTERNAL ServiceEntries.

diff --git a/networking/v1alpha3/service_entry.proto b/networking/v1alpha3/service_entry.proto index 301609c0a8..ca831379fa 100644 --- a/networking/v1alpha3/service_entry.proto +++ b/networking/v1alpha3/service_entry.proto @@ -561,14 +561,15 @@ message ServiceEntry { // cannot be used with Unix domain socket endpoints. DNS_ROUND_ROBIN = 3; - // Similar to DNS, but delays request hostname resolution until runtime. - // Initial DNS resolution returns the allocated VIP for the matching wildcard - // hosts specified in the ServiceEntry. `DELAYED_DNS` must be used with + // Similar to DNS, by obtains the FQDN from the Host header or SNI to + // perform DNS resolution when the matching Host is a wildcard. Initial + // DNS resolution returns the allocated VIP for the matching wildcard + // hosts specified in the ServiceEntry. `DYNAMIC_DNS` must be used with // wildcard hosts. Depending on the traffic type, the proxy will resolve - // the DNS address specified in the hosts header or SNI of the proxied + // the DNS address specified in the Hosts header or SNI of the proxied // request. Specified endpoints will be ignored. Only supported for // `MESH_EXTERNAL` ServiceEntries. - DELAYED_DNS = 4; + DYNAMIC_DNS = 4; } // Service resolution mode for the hosts. Care must be taken diff --git a/networking/v1beta1/service_entry_alias.gen.go b/networking/v1beta1/service_entry_alias.gen.go index 49114113f2..fbeb656497 100644 --- a/networking/v1beta1/service_entry_alias.gen.go +++ b/networking/v1beta1/service_entry_alias.gen.go @@ -101,15 +101,6 @@ const ServiceEntry_DNS ServiceEntry_Resolution = v1alpha3.ServiceEntry_DNS // cannot be used with Unix domain socket endpoints. const ServiceEntry_DNS_ROUND_ROBIN ServiceEntry_Resolution = v1alpha3.ServiceEntry_DNS_ROUND_ROBIN -// Similar to DNS, but delays request hostname resolution until runtime. -// Initial DNS resolution returns the allocated VIP for the matching wildcard -// hosts specified in the ServiceEntry. `DELAYED_DNS` must be used with -// wildcard hosts. Depending on the traffic type, the proxy will resolve -// the DNS address specified in the hosts header or SNI of the proxied -// request. Specified endpoints will be ignored. Only supported for -// `MESH_EXTERNAL` ServiceEntries. -const ServiceEntry_DELAYED_DNS ServiceEntry_Resolution = v1alpha3.ServiceEntry_DELAYED_DNS - // ServicePort describes the properties of a specific port of a service. type ServicePort = v1alpha3.ServicePort type ServiceEntryStatus = v1alpha3.ServiceEntryStatus From a9f0e2df7bc3f2c6ab0c770d8de2903b7a5c2c0f Mon Sep 17 00:00:00 2001 From: Jackie Elliott Date: Mon, 15 Sep 2025 22:31:43 +0000 Subject: [PATCH 3/9] Clarify ambient only support and waypoint bound requirement Signed-off-by: Jackie Elliott --- networking/v1/service_entry_alias.gen.go | 3 ++- networking/v1alpha3/service_entry.pb.go | 3 ++- networking/v1alpha3/service_entry.pb.html | 3 ++- networking/v1alpha3/service_entry.proto | 3 ++- networking/v1beta1/service_entry_alias.gen.go | 11 +++++++++++ 5 files changed, 19 insertions(+), 4 deletions(-) diff --git a/networking/v1/service_entry_alias.gen.go b/networking/v1/service_entry_alias.gen.go index 22f1c48890..d6b299ae65 100644 --- a/networking/v1/service_entry_alias.gen.go +++ b/networking/v1/service_entry_alias.gen.go @@ -108,7 +108,8 @@ const ServiceEntry_DNS_ROUND_ROBIN ServiceEntry_Resolution = v1alpha3.ServiceEnt // wildcard hosts. Depending on the traffic type, the proxy will resolve // the DNS address specified in the Hosts header or SNI of the proxied // request. Specified endpoints will be ignored. Only supported for -// `MESH_EXTERNAL` ServiceEntries. +// `MESH_EXTERNAL` ServiceEntries and in ambient mode. The ServiceEntry +// must be bound to a waypoint. const ServiceEntry_DYNAMIC_DNS ServiceEntry_Resolution = v1alpha3.ServiceEntry_DYNAMIC_DNS // ServicePort describes the properties of a specific port of a service. diff --git a/networking/v1alpha3/service_entry.pb.go b/networking/v1alpha3/service_entry.pb.go index 1c7b9d2fd2..4ab31cc51e 100644 --- a/networking/v1alpha3/service_entry.pb.go +++ b/networking/v1alpha3/service_entry.pb.go @@ -524,7 +524,8 @@ const ( // wildcard hosts. Depending on the traffic type, the proxy will resolve // the DNS address specified in the Hosts header or SNI of the proxied // request. Specified endpoints will be ignored. Only supported for - // `MESH_EXTERNAL` ServiceEntries. + // `MESH_EXTERNAL` ServiceEntries and in ambient mode. The ServiceEntry + // must be bound to a waypoint. ServiceEntry_DYNAMIC_DNS ServiceEntry_Resolution = 4 ) diff --git a/networking/v1alpha3/service_entry.pb.html b/networking/v1alpha3/service_entry.pb.html index 9031ccec03..ffd6e4f3e2 100644 --- a/networking/v1alpha3/service_entry.pb.html +++ b/networking/v1alpha3/service_entry.pb.html @@ -619,7 +619,8 @@

Resolution

wildcard hosts. Depending on the traffic type, the proxy will resolve the DNS address specified in the Hosts header or SNI of the proxied request. Specified endpoints will be ignored. Only supported for -MESH_EXTERNAL ServiceEntries.

+MESH_EXTERNAL ServiceEntries and in ambient mode. The ServiceEntry +must be bound to a waypoint.

diff --git a/networking/v1alpha3/service_entry.proto b/networking/v1alpha3/service_entry.proto index ca831379fa..e8f879013e 100644 --- a/networking/v1alpha3/service_entry.proto +++ b/networking/v1alpha3/service_entry.proto @@ -568,7 +568,8 @@ message ServiceEntry { // wildcard hosts. Depending on the traffic type, the proxy will resolve // the DNS address specified in the Hosts header or SNI of the proxied // request. Specified endpoints will be ignored. Only supported for - // `MESH_EXTERNAL` ServiceEntries. + // `MESH_EXTERNAL` ServiceEntries and in ambient mode. The ServiceEntry + // must be bound to a waypoint. DYNAMIC_DNS = 4; } diff --git a/networking/v1beta1/service_entry_alias.gen.go b/networking/v1beta1/service_entry_alias.gen.go index fbeb656497..cf31a879f9 100644 --- a/networking/v1beta1/service_entry_alias.gen.go +++ b/networking/v1beta1/service_entry_alias.gen.go @@ -101,6 +101,17 @@ const ServiceEntry_DNS ServiceEntry_Resolution = v1alpha3.ServiceEntry_DNS // cannot be used with Unix domain socket endpoints. const ServiceEntry_DNS_ROUND_ROBIN ServiceEntry_Resolution = v1alpha3.ServiceEntry_DNS_ROUND_ROBIN +// Similar to DNS, by obtains the FQDN from the Host header or SNI to +// perform DNS resolution when the matching Host is a wildcard. Initial +// DNS resolution returns the allocated VIP for the matching wildcard +// hosts specified in the ServiceEntry. `DYNAMIC_DNS` must be used with +// wildcard hosts. Depending on the traffic type, the proxy will resolve +// the DNS address specified in the Hosts header or SNI of the proxied +// request. Specified endpoints will be ignored. Only supported for +// `MESH_EXTERNAL` ServiceEntries and in ambient mode. The ServiceEntry +// must be bound to a waypoint. +const ServiceEntry_DYNAMIC_DNS ServiceEntry_Resolution = v1alpha3.ServiceEntry_DYNAMIC_DNS + // ServicePort describes the properties of a specific port of a service. type ServicePort = v1alpha3.ServicePort type ServiceEntryStatus = v1alpha3.ServiceEntryStatus From 24de7bf22d04f2063c94326805d31faaba3cb2c2 Mon Sep 17 00:00:00 2001 From: Jackie Elliott Date: Tue, 16 Sep 2025 00:23:56 +0000 Subject: [PATCH 4/9] Remove more complex kubebuild directive for the wildcard host validation Signed-off-by: Jackie Elliott --- kubernetes/customresourcedefinitions.gen.yaml | 18 +++++++++--------- networking/v1/service_entry_alias.gen.go | 1 - networking/v1alpha3/service_entry.pb.go | 2 +- networking/v1alpha3/service_entry.proto | 2 +- networking/v1beta1/service_entry_alias.gen.go | 1 - 5 files changed, 11 insertions(+), 13 deletions(-) diff --git a/kubernetes/customresourcedefinitions.gen.yaml b/kubernetes/customresourcedefinitions.gen.yaml index 31cd9ee904..6e486a2711 100644 --- a/kubernetes/customresourcedefinitions.gen.yaml +++ b/kubernetes/customresourcedefinitions.gen.yaml @@ -7748,6 +7748,9 @@ spec: description: The hosts associated with the ServiceEntry. items: type: string + x-kubernetes-validations: + - message: hostname cannot be wildcard + rule: self != "*" maxItems: 256 minItems: 1 type: array @@ -7852,9 +7855,6 @@ spec: - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints rule: '((has(self.resolution) ? self.resolution : "") == "DNS_ROUND_ROBIN") ? ((has(self.endpoints) ? self.endpoints : []).size() <= 1) : true' - - message: hostname cannot be wildcard - rule: '!(self.hosts == "*" && self.resolution in ["STATIC", "DNS", "DNS_ROUND_ROBIN", - "NONE"])' status: properties: conditions: @@ -8047,6 +8047,9 @@ spec: description: The hosts associated with the ServiceEntry. items: type: string + x-kubernetes-validations: + - message: hostname cannot be wildcard + rule: self != "*" maxItems: 256 minItems: 1 type: array @@ -8151,9 +8154,6 @@ spec: - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints rule: '((has(self.resolution) ? self.resolution : "") == "DNS_ROUND_ROBIN") ? ((has(self.endpoints) ? self.endpoints : []).size() <= 1) : true' - - message: hostname cannot be wildcard - rule: '!(self.hosts == "*" && self.resolution in ["STATIC", "DNS", "DNS_ROUND_ROBIN", - "NONE"])' status: properties: conditions: @@ -8346,6 +8346,9 @@ spec: description: The hosts associated with the ServiceEntry. items: type: string + x-kubernetes-validations: + - message: hostname cannot be wildcard + rule: self != "*" maxItems: 256 minItems: 1 type: array @@ -8450,9 +8453,6 @@ spec: - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints rule: '((has(self.resolution) ? self.resolution : "") == "DNS_ROUND_ROBIN") ? ((has(self.endpoints) ? self.endpoints : []).size() <= 1) : true' - - message: hostname cannot be wildcard - rule: '!(self.hosts == "*" && self.resolution in ["STATIC", "DNS", "DNS_ROUND_ROBIN", - "NONE"])' status: properties: conditions: diff --git a/networking/v1/service_entry_alias.gen.go b/networking/v1/service_entry_alias.gen.go index d6b299ae65..7a0dde39bb 100644 --- a/networking/v1/service_entry_alias.gen.go +++ b/networking/v1/service_entry_alias.gen.go @@ -38,7 +38,6 @@ import "istio.io/api/networking/v1alpha3" // +kubebuilder:validation:XValidation:message="CIDR addresses are allowed only for NONE/STATIC resolution types",rule="!(default(self.addresses, []).exists(k, k.contains('/')) && !(default(self.resolution, 'NONE') in ['STATIC', 'NONE']))" // +kubebuilder:validation:XValidation:message="NONE mode cannot set endpoints",rule="default(self.resolution, 'NONE') == 'NONE' ? !has(self.endpoints) : true" // +kubebuilder:validation:XValidation:message="DNS_ROUND_ROBIN mode cannot have multiple endpoints",rule="default(self.resolution, ”) == 'DNS_ROUND_ROBIN' ? default(self.endpoints, []).size() <= 1 : true" -// +kubebuilder:validation:XValidation:message="hostname cannot be wildcard",rule="!(self.hosts == '*' && (self.resolution) in ['STATIC', 'DNS', 'DNS_ROUND_ROBIN', 'NONE'])" type ServiceEntry = v1alpha3.ServiceEntry // Location specifies whether the service is part of Istio mesh or diff --git a/networking/v1alpha3/service_entry.pb.go b/networking/v1alpha3/service_entry.pb.go index 4ab31cc51e..a23d55e4c0 100644 --- a/networking/v1alpha3/service_entry.pb.go +++ b/networking/v1alpha3/service_entry.pb.go @@ -609,7 +609,6 @@ func (ServiceEntry_Resolution) EnumDescriptor() ([]byte, []int) { // +kubebuilder:validation:XValidation:message="CIDR addresses are allowed only for NONE/STATIC resolution types",rule="!(default(self.addresses, []).exists(k, k.contains('/')) && !(default(self.resolution, 'NONE') in ['STATIC', 'NONE']))" // +kubebuilder:validation:XValidation:message="NONE mode cannot set endpoints",rule="default(self.resolution, 'NONE') == 'NONE' ? !has(self.endpoints) : true" // +kubebuilder:validation:XValidation:message="DNS_ROUND_ROBIN mode cannot have multiple endpoints",rule="default(self.resolution, ”) == 'DNS_ROUND_ROBIN' ? default(self.endpoints, []).size() <= 1 : true" -// +kubebuilder:validation:XValidation:message="hostname cannot be wildcard",rule="!(self.hosts == '*' && (self.resolution) in ['STATIC', 'DNS', 'DNS_ROUND_ROBIN', 'NONE'])" type ServiceEntry struct { state protoimpl.MessageState `protogen:"open.v1"` // The hosts associated with the ServiceEntry. Could be a DNS @@ -638,6 +637,7 @@ type ServiceEntry struct { // // +kubebuilder:validation:MinItems=1 // +kubebuilder:validation:MaxItems=256 + // +protoc-gen-crd:list-value-validation:XValidation:message="hostname cannot be wildcard",rule="self != '*'" Hosts []string `protobuf:"bytes,1,rep,name=hosts,proto3" json:"hosts,omitempty"` // The virtual IP addresses associated with the service. Could be CIDR // prefix. For HTTP traffic, generated route configurations will include http route diff --git a/networking/v1alpha3/service_entry.proto b/networking/v1alpha3/service_entry.proto index e8f879013e..cf746f52cc 100644 --- a/networking/v1alpha3/service_entry.proto +++ b/networking/v1alpha3/service_entry.proto @@ -440,7 +440,6 @@ option go_package = "istio.io/api/networking/v1alpha3"; // +kubebuilder:validation:XValidation:message="CIDR addresses are allowed only for NONE/STATIC resolution types",rule="!(default(self.addresses, []).exists(k, k.contains('/')) && !(default(self.resolution, 'NONE') in ['STATIC', 'NONE']))" // +kubebuilder:validation:XValidation:message="NONE mode cannot set endpoints",rule="default(self.resolution, 'NONE') == 'NONE' ? !has(self.endpoints) : true" // +kubebuilder:validation:XValidation:message="DNS_ROUND_ROBIN mode cannot have multiple endpoints",rule="default(self.resolution, '') == 'DNS_ROUND_ROBIN' ? default(self.endpoints, []).size() <= 1 : true" -// +kubebuilder:validation:XValidation:message="hostname cannot be wildcard",rule="!(self.hosts == '*' && (self.resolution) in ['STATIC', 'DNS', 'DNS_ROUND_ROBIN', 'NONE'])" message ServiceEntry { // The hosts associated with the ServiceEntry. Could be a DNS // name with wildcard prefix. @@ -467,6 +466,7 @@ message ServiceEntry { // SANs specified here will also be verified. // +kubebuilder:validation:MinItems=1 // +kubebuilder:validation:MaxItems=256 + // +protoc-gen-crd:list-value-validation:XValidation:message="hostname cannot be wildcard",rule="self != '*'" repeated string hosts = 1 [(google.api.field_behavior) = REQUIRED]; // The virtual IP addresses associated with the service. Could be CIDR diff --git a/networking/v1beta1/service_entry_alias.gen.go b/networking/v1beta1/service_entry_alias.gen.go index cf31a879f9..1494a539cb 100644 --- a/networking/v1beta1/service_entry_alias.gen.go +++ b/networking/v1beta1/service_entry_alias.gen.go @@ -38,7 +38,6 @@ import "istio.io/api/networking/v1alpha3" // +kubebuilder:validation:XValidation:message="CIDR addresses are allowed only for NONE/STATIC resolution types",rule="!(default(self.addresses, []).exists(k, k.contains('/')) && !(default(self.resolution, 'NONE') in ['STATIC', 'NONE']))" // +kubebuilder:validation:XValidation:message="NONE mode cannot set endpoints",rule="default(self.resolution, 'NONE') == 'NONE' ? !has(self.endpoints) : true" // +kubebuilder:validation:XValidation:message="DNS_ROUND_ROBIN mode cannot have multiple endpoints",rule="default(self.resolution, ”) == 'DNS_ROUND_ROBIN' ? default(self.endpoints, []).size() <= 1 : true" -// +kubebuilder:validation:XValidation:message="hostname cannot be wildcard",rule="!(self.hosts == '*' && (self.resolution) in ['STATIC', 'DNS', 'DNS_ROUND_ROBIN', 'NONE'])" type ServiceEntry = v1alpha3.ServiceEntry // Location specifies whether the service is part of Istio mesh or From c3e9abf9510483234e9f6ebbd4ce09831a37df04 Mon Sep 17 00:00:00 2001 From: Jackie Elliott Date: Tue, 16 Sep 2025 00:33:48 +0000 Subject: [PATCH 5/9] Add release note Signed-off-by: Jackie Elliott --- releasenotes/notes/dynamic-dns-resolution.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 releasenotes/notes/dynamic-dns-resolution.yaml diff --git a/releasenotes/notes/dynamic-dns-resolution.yaml b/releasenotes/notes/dynamic-dns-resolution.yaml new file mode 100644 index 0000000000..c3c0139bfe --- /dev/null +++ b/releasenotes/notes/dynamic-dns-resolution.yaml @@ -0,0 +1,11 @@ +apiVersion: release-notes/v2 +kind: feature +area: traffic-management +issue: + - https://github.com/istio/istio/issues/54540 + +releaseNotes: + - | + **Added** a new `DYNAMIC_DNS` resolution option for `ServiceEntry` to enable + dynamic DNS resolution based on the request's Host header or SNI when the + ServiceEntry has a wildcard host. From 34fb708b2768a9ea9e46dc1fdbe329a6db544a44 Mon Sep 17 00:00:00 2001 From: Jackie Elliott Date: Tue, 16 Sep 2025 21:10:43 +0000 Subject: [PATCH 6/9] Fix nits Signed-off-by: Jackie Elliott --- networking/v1/service_entry_alias.gen.go | 18 +++++++++--------- networking/v1alpha3/service_entry.pb.go | 18 +++++++++--------- networking/v1alpha3/service_entry.pb.html | 18 +++++++++--------- networking/v1alpha3/service_entry.proto | 18 +++++++++--------- networking/v1beta1/service_entry_alias.gen.go | 18 +++++++++--------- 5 files changed, 45 insertions(+), 45 deletions(-) diff --git a/networking/v1/service_entry_alias.gen.go b/networking/v1/service_entry_alias.gen.go index 7a0dde39bb..a2eaa942db 100644 --- a/networking/v1/service_entry_alias.gen.go +++ b/networking/v1/service_entry_alias.gen.go @@ -100,15 +100,15 @@ const ServiceEntry_DNS ServiceEntry_Resolution = v1alpha3.ServiceEntry_DNS // cannot be used with Unix domain socket endpoints. const ServiceEntry_DNS_ROUND_ROBIN ServiceEntry_Resolution = v1alpha3.ServiceEntry_DNS_ROUND_ROBIN -// Similar to DNS, by obtains the FQDN from the Host header or SNI to -// perform DNS resolution when the matching Host is a wildcard. Initial -// DNS resolution returns the allocated VIP for the matching wildcard -// hosts specified in the ServiceEntry. `DYNAMIC_DNS` must be used with -// wildcard hosts. Depending on the traffic type, the proxy will resolve -// the DNS address specified in the Hosts header or SNI of the proxied -// request. Specified endpoints will be ignored. Only supported for -// `MESH_EXTERNAL` ServiceEntries and in ambient mode. The ServiceEntry -// must be bound to a waypoint. +// Similar to DNS, but obtains the FQDN from the Host header or SNI to +// perform DNS resolution when the matching Host is a wildcard. Client +// initiated DNS resolution returns the allocated VIP for the matching +// wildcard hosts specified in the ServiceEntry. `DYNAMIC_DNS` must be +// used with wildcard hosts. Depending on the traffic type, the proxy +// will resolve the DNS address specified in the Hosts header or SNI of +// the proxied request. Specified endpoints will be ignored. Only +// supported for `MESH_EXTERNAL` ServiceEntries and in ambient mode. +// The ServiceEntry must be bound to a waypoint. const ServiceEntry_DYNAMIC_DNS ServiceEntry_Resolution = v1alpha3.ServiceEntry_DYNAMIC_DNS // ServicePort describes the properties of a specific port of a service. diff --git a/networking/v1alpha3/service_entry.pb.go b/networking/v1alpha3/service_entry.pb.go index a23d55e4c0..e8aeaa0682 100644 --- a/networking/v1alpha3/service_entry.pb.go +++ b/networking/v1alpha3/service_entry.pb.go @@ -517,15 +517,15 @@ const ( // specified in the hosts field, if wildcards are not used. DNS resolution // cannot be used with Unix domain socket endpoints. ServiceEntry_DNS_ROUND_ROBIN ServiceEntry_Resolution = 3 - // Similar to DNS, by obtains the FQDN from the Host header or SNI to - // perform DNS resolution when the matching Host is a wildcard. Initial - // DNS resolution returns the allocated VIP for the matching wildcard - // hosts specified in the ServiceEntry. `DYNAMIC_DNS` must be used with - // wildcard hosts. Depending on the traffic type, the proxy will resolve - // the DNS address specified in the Hosts header or SNI of the proxied - // request. Specified endpoints will be ignored. Only supported for - // `MESH_EXTERNAL` ServiceEntries and in ambient mode. The ServiceEntry - // must be bound to a waypoint. + // Similar to DNS, but obtains the FQDN from the Host header or SNI to + // perform DNS resolution when the matching Host is a wildcard. Client + // initiated DNS resolution returns the allocated VIP for the matching + // wildcard hosts specified in the ServiceEntry. `DYNAMIC_DNS` must be + // used with wildcard hosts. Depending on the traffic type, the proxy + // will resolve the DNS address specified in the Hosts header or SNI of + // the proxied request. Specified endpoints will be ignored. Only + // supported for `MESH_EXTERNAL` ServiceEntries and in ambient mode. + // The ServiceEntry must be bound to a waypoint. ServiceEntry_DYNAMIC_DNS ServiceEntry_Resolution = 4 ) diff --git a/networking/v1alpha3/service_entry.pb.html b/networking/v1alpha3/service_entry.pb.html index ffd6e4f3e2..b5b7426a3c 100644 --- a/networking/v1alpha3/service_entry.pb.html +++ b/networking/v1alpha3/service_entry.pb.html @@ -612,15 +612,15 @@

Resolution

DYNAMIC_DNS -

Similar to DNS, by obtains the FQDN from the Host header or SNI to -perform DNS resolution when the matching Host is a wildcard. Initial -DNS resolution returns the allocated VIP for the matching wildcard -hosts specified in the ServiceEntry. DYNAMIC_DNS must be used with -wildcard hosts. Depending on the traffic type, the proxy will resolve -the DNS address specified in the Hosts header or SNI of the proxied -request. Specified endpoints will be ignored. Only supported for -MESH_EXTERNAL ServiceEntries and in ambient mode. The ServiceEntry -must be bound to a waypoint.

+

Similar to DNS, but obtains the FQDN from the Host header or SNI to +perform DNS resolution when the matching Host is a wildcard. Client +initiated DNS resolution returns the allocated VIP for the matching +wildcard hosts specified in the ServiceEntry. DYNAMIC_DNS must be +used with wildcard hosts. Depending on the traffic type, the proxy +will resolve the DNS address specified in the Hosts header or SNI of +the proxied request. Specified endpoints will be ignored. Only +supported for MESH_EXTERNAL ServiceEntries and in ambient mode. +The ServiceEntry must be bound to a waypoint.

diff --git a/networking/v1alpha3/service_entry.proto b/networking/v1alpha3/service_entry.proto index cf746f52cc..4b36d8b14d 100644 --- a/networking/v1alpha3/service_entry.proto +++ b/networking/v1alpha3/service_entry.proto @@ -561,15 +561,15 @@ message ServiceEntry { // cannot be used with Unix domain socket endpoints. DNS_ROUND_ROBIN = 3; - // Similar to DNS, by obtains the FQDN from the Host header or SNI to - // perform DNS resolution when the matching Host is a wildcard. Initial - // DNS resolution returns the allocated VIP for the matching wildcard - // hosts specified in the ServiceEntry. `DYNAMIC_DNS` must be used with - // wildcard hosts. Depending on the traffic type, the proxy will resolve - // the DNS address specified in the Hosts header or SNI of the proxied - // request. Specified endpoints will be ignored. Only supported for - // `MESH_EXTERNAL` ServiceEntries and in ambient mode. The ServiceEntry - // must be bound to a waypoint. + // Similar to DNS, but obtains the FQDN from the Host header or SNI to + // perform DNS resolution when the matching Host is a wildcard. Client + // initiated DNS resolution returns the allocated VIP for the matching + // wildcard hosts specified in the ServiceEntry. `DYNAMIC_DNS` must be + // used with wildcard hosts. Depending on the traffic type, the proxy + // will resolve the DNS address specified in the Hosts header or SNI of + // the proxied request. Specified endpoints will be ignored. Only + // supported for `MESH_EXTERNAL` ServiceEntries and in ambient mode. + // The ServiceEntry must be bound to a waypoint. DYNAMIC_DNS = 4; } diff --git a/networking/v1beta1/service_entry_alias.gen.go b/networking/v1beta1/service_entry_alias.gen.go index 1494a539cb..bf795d2d8d 100644 --- a/networking/v1beta1/service_entry_alias.gen.go +++ b/networking/v1beta1/service_entry_alias.gen.go @@ -100,15 +100,15 @@ const ServiceEntry_DNS ServiceEntry_Resolution = v1alpha3.ServiceEntry_DNS // cannot be used with Unix domain socket endpoints. const ServiceEntry_DNS_ROUND_ROBIN ServiceEntry_Resolution = v1alpha3.ServiceEntry_DNS_ROUND_ROBIN -// Similar to DNS, by obtains the FQDN from the Host header or SNI to -// perform DNS resolution when the matching Host is a wildcard. Initial -// DNS resolution returns the allocated VIP for the matching wildcard -// hosts specified in the ServiceEntry. `DYNAMIC_DNS` must be used with -// wildcard hosts. Depending on the traffic type, the proxy will resolve -// the DNS address specified in the Hosts header or SNI of the proxied -// request. Specified endpoints will be ignored. Only supported for -// `MESH_EXTERNAL` ServiceEntries and in ambient mode. The ServiceEntry -// must be bound to a waypoint. +// Similar to DNS, but obtains the FQDN from the Host header or SNI to +// perform DNS resolution when the matching Host is a wildcard. Client +// initiated DNS resolution returns the allocated VIP for the matching +// wildcard hosts specified in the ServiceEntry. `DYNAMIC_DNS` must be +// used with wildcard hosts. Depending on the traffic type, the proxy +// will resolve the DNS address specified in the Hosts header or SNI of +// the proxied request. Specified endpoints will be ignored. Only +// supported for `MESH_EXTERNAL` ServiceEntries and in ambient mode. +// The ServiceEntry must be bound to a waypoint. const ServiceEntry_DYNAMIC_DNS ServiceEntry_Resolution = v1alpha3.ServiceEntry_DYNAMIC_DNS // ServicePort describes the properties of a specific port of a service. From 4b7cb6b513c3e19aa0287fa9073e8ccc2bbe14af Mon Sep 17 00:00:00 2001 From: Jackie Elliott Date: Wed, 17 Sep 2025 20:48:21 +0000 Subject: [PATCH 7/9] Respond to comments Signed-off-by: Jackie Elliott --- networking/v1/service_entry_alias.gen.go | 21 +++++++++++-------- networking/v1alpha3/service_entry.pb.go | 21 +++++++++++-------- networking/v1alpha3/service_entry.pb.html | 21 +++++++++++-------- networking/v1alpha3/service_entry.proto | 21 +++++++++++-------- networking/v1beta1/service_entry_alias.gen.go | 21 +++++++++++-------- 5 files changed, 60 insertions(+), 45 deletions(-) diff --git a/networking/v1/service_entry_alias.gen.go b/networking/v1/service_entry_alias.gen.go index a2eaa942db..9352d830e2 100644 --- a/networking/v1/service_entry_alias.gen.go +++ b/networking/v1/service_entry_alias.gen.go @@ -100,15 +100,18 @@ const ServiceEntry_DNS ServiceEntry_Resolution = v1alpha3.ServiceEntry_DNS // cannot be used with Unix domain socket endpoints. const ServiceEntry_DNS_ROUND_ROBIN ServiceEntry_Resolution = v1alpha3.ServiceEntry_DNS_ROUND_ROBIN -// Similar to DNS, but obtains the FQDN from the Host header or SNI to -// perform DNS resolution when the matching Host is a wildcard. Client -// initiated DNS resolution returns the allocated VIP for the matching -// wildcard hosts specified in the ServiceEntry. `DYNAMIC_DNS` must be -// used with wildcard hosts. Depending on the traffic type, the proxy -// will resolve the DNS address specified in the Hosts header or SNI of -// the proxied request. Specified endpoints will be ignored. Only -// supported for `MESH_EXTERNAL` ServiceEntries and in ambient mode. -// The ServiceEntry must be bound to a waypoint. +// DYNAMIC_DNS will attempt to resolve the host name specified in +// the Host header or SNI to an IP address when handling traffic. This +// is particularly useful when multiple dns addresses can be represented +// by a single wildcard `host` entry without having to explicitly +// enumerate all possible endpoints. DYNAMIC_DNS resolution when +// egressing the mesh returns the allocated VIP for the matching +// wildcard `hosts` specified in the ServiceEntry. Depending on the +// traffic type, the proxy will resolve the address specified in the +// Hosts header or SNI of the proxied request. `DYNAMIC_DNS` is +// only supported for wildcard hosts, `MESH_EXTERNAL` location and in +// ambient mode. The ServiceEntry must be bound to a waypoint. Specified +// endpoints will be ignored. const ServiceEntry_DYNAMIC_DNS ServiceEntry_Resolution = v1alpha3.ServiceEntry_DYNAMIC_DNS // ServicePort describes the properties of a specific port of a service. diff --git a/networking/v1alpha3/service_entry.pb.go b/networking/v1alpha3/service_entry.pb.go index e8aeaa0682..bf17af87f5 100644 --- a/networking/v1alpha3/service_entry.pb.go +++ b/networking/v1alpha3/service_entry.pb.go @@ -517,15 +517,18 @@ const ( // specified in the hosts field, if wildcards are not used. DNS resolution // cannot be used with Unix domain socket endpoints. ServiceEntry_DNS_ROUND_ROBIN ServiceEntry_Resolution = 3 - // Similar to DNS, but obtains the FQDN from the Host header or SNI to - // perform DNS resolution when the matching Host is a wildcard. Client - // initiated DNS resolution returns the allocated VIP for the matching - // wildcard hosts specified in the ServiceEntry. `DYNAMIC_DNS` must be - // used with wildcard hosts. Depending on the traffic type, the proxy - // will resolve the DNS address specified in the Hosts header or SNI of - // the proxied request. Specified endpoints will be ignored. Only - // supported for `MESH_EXTERNAL` ServiceEntries and in ambient mode. - // The ServiceEntry must be bound to a waypoint. + // DYNAMIC_DNS will attempt to resolve the host name specified in + // the Host header or SNI to an IP address when handling traffic. This + // is particularly useful when multiple dns addresses can be represented + // by a single wildcard `host` entry without having to explicitly + // enumerate all possible endpoints. DYNAMIC_DNS resolution when + // egressing the mesh returns the allocated VIP for the matching + // wildcard `hosts` specified in the ServiceEntry. Depending on the + // traffic type, the proxy will resolve the address specified in the + // Hosts header or SNI of the proxied request. `DYNAMIC_DNS` is + // only supported for wildcard hosts, `MESH_EXTERNAL` location and in + // ambient mode. The ServiceEntry must be bound to a waypoint. Specified + // endpoints will be ignored. ServiceEntry_DYNAMIC_DNS ServiceEntry_Resolution = 4 ) diff --git a/networking/v1alpha3/service_entry.pb.html b/networking/v1alpha3/service_entry.pb.html index b5b7426a3c..f6e8995aa2 100644 --- a/networking/v1alpha3/service_entry.pb.html +++ b/networking/v1alpha3/service_entry.pb.html @@ -612,15 +612,18 @@

Resolution

DYNAMIC_DNS -

Similar to DNS, but obtains the FQDN from the Host header or SNI to -perform DNS resolution when the matching Host is a wildcard. Client -initiated DNS resolution returns the allocated VIP for the matching -wildcard hosts specified in the ServiceEntry. DYNAMIC_DNS must be -used with wildcard hosts. Depending on the traffic type, the proxy -will resolve the DNS address specified in the Hosts header or SNI of -the proxied request. Specified endpoints will be ignored. Only -supported for MESH_EXTERNAL ServiceEntries and in ambient mode. -The ServiceEntry must be bound to a waypoint.

+

DYNAMIC_DNS will attempt to resolve the host name specified in +the Host header or SNI to an IP address when handling traffic. This +is particularly useful when multiple dns addresses can be represented +by a single wildcard host entry without having to explicitly +enumerate all possible endpoints. DYNAMIC_DNS resolution when +egressing the mesh returns the allocated VIP for the matching +wildcard hosts specified in the ServiceEntry. Depending on the +traffic type, the proxy will resolve the address specified in the +Hosts header or SNI of the proxied request. DYNAMIC_DNS is +only supported for wildcard hosts, MESH_EXTERNAL location and in +ambient mode. The ServiceEntry must be bound to a waypoint. Specified +endpoints will be ignored.

diff --git a/networking/v1alpha3/service_entry.proto b/networking/v1alpha3/service_entry.proto index 4b36d8b14d..4bd633bfa8 100644 --- a/networking/v1alpha3/service_entry.proto +++ b/networking/v1alpha3/service_entry.proto @@ -561,15 +561,18 @@ message ServiceEntry { // cannot be used with Unix domain socket endpoints. DNS_ROUND_ROBIN = 3; - // Similar to DNS, but obtains the FQDN from the Host header or SNI to - // perform DNS resolution when the matching Host is a wildcard. Client - // initiated DNS resolution returns the allocated VIP for the matching - // wildcard hosts specified in the ServiceEntry. `DYNAMIC_DNS` must be - // used with wildcard hosts. Depending on the traffic type, the proxy - // will resolve the DNS address specified in the Hosts header or SNI of - // the proxied request. Specified endpoints will be ignored. Only - // supported for `MESH_EXTERNAL` ServiceEntries and in ambient mode. - // The ServiceEntry must be bound to a waypoint. + // DYNAMIC_DNS will attempt to resolve the host name specified in + // the Host header or SNI to an IP address when handling traffic. This + // is particularly useful when multiple dns addresses can be represented + // by a single wildcard `host` entry without having to explicitly + // enumerate all possible endpoints. DYNAMIC_DNS resolution when + // egressing the mesh returns the allocated VIP for the matching + // wildcard `hosts` specified in the ServiceEntry. Depending on the + // traffic type, the proxy will resolve the address specified in the + // Hosts header or SNI of the proxied request. `DYNAMIC_DNS` is + // only supported for wildcard hosts, `MESH_EXTERNAL` location and in + // ambient mode. The ServiceEntry must be bound to a waypoint. Specified + // endpoints will be ignored. DYNAMIC_DNS = 4; } diff --git a/networking/v1beta1/service_entry_alias.gen.go b/networking/v1beta1/service_entry_alias.gen.go index bf795d2d8d..cccb6a883e 100644 --- a/networking/v1beta1/service_entry_alias.gen.go +++ b/networking/v1beta1/service_entry_alias.gen.go @@ -100,15 +100,18 @@ const ServiceEntry_DNS ServiceEntry_Resolution = v1alpha3.ServiceEntry_DNS // cannot be used with Unix domain socket endpoints. const ServiceEntry_DNS_ROUND_ROBIN ServiceEntry_Resolution = v1alpha3.ServiceEntry_DNS_ROUND_ROBIN -// Similar to DNS, but obtains the FQDN from the Host header or SNI to -// perform DNS resolution when the matching Host is a wildcard. Client -// initiated DNS resolution returns the allocated VIP for the matching -// wildcard hosts specified in the ServiceEntry. `DYNAMIC_DNS` must be -// used with wildcard hosts. Depending on the traffic type, the proxy -// will resolve the DNS address specified in the Hosts header or SNI of -// the proxied request. Specified endpoints will be ignored. Only -// supported for `MESH_EXTERNAL` ServiceEntries and in ambient mode. -// The ServiceEntry must be bound to a waypoint. +// DYNAMIC_DNS will attempt to resolve the host name specified in +// the Host header or SNI to an IP address when handling traffic. This +// is particularly useful when multiple dns addresses can be represented +// by a single wildcard `host` entry without having to explicitly +// enumerate all possible endpoints. DYNAMIC_DNS resolution when +// egressing the mesh returns the allocated VIP for the matching +// wildcard `hosts` specified in the ServiceEntry. Depending on the +// traffic type, the proxy will resolve the address specified in the +// Hosts header or SNI of the proxied request. `DYNAMIC_DNS` is +// only supported for wildcard hosts, `MESH_EXTERNAL` location and in +// ambient mode. The ServiceEntry must be bound to a waypoint. Specified +// endpoints will be ignored. const ServiceEntry_DYNAMIC_DNS ServiceEntry_Resolution = v1alpha3.ServiceEntry_DYNAMIC_DNS // ServicePort describes the properties of a specific port of a service. From 5db16d3dc66b8a6398c6196ee863e8dab95a6e3d Mon Sep 17 00:00:00 2001 From: Jackie Elliott Date: Fri, 19 Sep 2025 20:31:43 +0000 Subject: [PATCH 8/9] Clarify impact of dynamic dns on captured dns Signed-off-by: Jackie Elliott --- networking/v1/service_entry_alias.gen.go | 19 +++++++++++-------- networking/v1alpha3/service_entry.pb.go | 19 +++++++++++-------- networking/v1alpha3/service_entry.pb.html | 19 +++++++++++-------- networking/v1alpha3/service_entry.proto | 19 +++++++++++-------- networking/v1beta1/service_entry_alias.gen.go | 19 +++++++++++-------- 5 files changed, 55 insertions(+), 40 deletions(-) diff --git a/networking/v1/service_entry_alias.gen.go b/networking/v1/service_entry_alias.gen.go index 9352d830e2..18aa51a1e6 100644 --- a/networking/v1/service_entry_alias.gen.go +++ b/networking/v1/service_entry_alias.gen.go @@ -104,14 +104,17 @@ const ServiceEntry_DNS_ROUND_ROBIN ServiceEntry_Resolution = v1alpha3.ServiceEnt // the Host header or SNI to an IP address when handling traffic. This // is particularly useful when multiple dns addresses can be represented // by a single wildcard `host` entry without having to explicitly -// enumerate all possible endpoints. DYNAMIC_DNS resolution when -// egressing the mesh returns the allocated VIP for the matching -// wildcard `hosts` specified in the ServiceEntry. Depending on the -// traffic type, the proxy will resolve the address specified in the -// Hosts header or SNI of the proxied request. `DYNAMIC_DNS` is -// only supported for wildcard hosts, `MESH_EXTERNAL` location and in -// ambient mode. The ServiceEntry must be bound to a waypoint. Specified -// endpoints will be ignored. +// enumerate all possible endpoints. During DNS proxying, ztunnel will +// resolve all subdomains matching the wildcard host name to a VIP which +// isn't used for routing outside the mesh. `DYNAMIC_DNS` will provide +// configuration to a waypoint proxy to recover the original host name +// using information from SNI or a Host header in an HTTP Request. This +// original host name will then be resolved so that traffic can be routed +// to the intended IP address. This method of handling wildcard traffic +// is not compatible with raw TCP traffic where the original host cannot +// be recovered. `DYNAMIC_DNS` is only supported for wildcard hosts, +// `MESH_EXTERNAL` location and in ambient mode. The ServiceEntry must +// be bound to a waypoint. Specified endpoints will be ignored. const ServiceEntry_DYNAMIC_DNS ServiceEntry_Resolution = v1alpha3.ServiceEntry_DYNAMIC_DNS // ServicePort describes the properties of a specific port of a service. diff --git a/networking/v1alpha3/service_entry.pb.go b/networking/v1alpha3/service_entry.pb.go index bf17af87f5..c4ed91d033 100644 --- a/networking/v1alpha3/service_entry.pb.go +++ b/networking/v1alpha3/service_entry.pb.go @@ -521,14 +521,17 @@ const ( // the Host header or SNI to an IP address when handling traffic. This // is particularly useful when multiple dns addresses can be represented // by a single wildcard `host` entry without having to explicitly - // enumerate all possible endpoints. DYNAMIC_DNS resolution when - // egressing the mesh returns the allocated VIP for the matching - // wildcard `hosts` specified in the ServiceEntry. Depending on the - // traffic type, the proxy will resolve the address specified in the - // Hosts header or SNI of the proxied request. `DYNAMIC_DNS` is - // only supported for wildcard hosts, `MESH_EXTERNAL` location and in - // ambient mode. The ServiceEntry must be bound to a waypoint. Specified - // endpoints will be ignored. + // enumerate all possible endpoints. During DNS proxying, ztunnel will + // resolve all subdomains matching the wildcard host name to a VIP which + // isn't used for routing outside the mesh. `DYNAMIC_DNS` will provide + // configuration to a waypoint proxy to recover the original host name + // using information from SNI or a Host header in an HTTP Request. This + // original host name will then be resolved so that traffic can be routed + // to the intended IP address. This method of handling wildcard traffic + // is not compatible with raw TCP traffic where the original host cannot + // be recovered. `DYNAMIC_DNS` is only supported for wildcard hosts, + // `MESH_EXTERNAL` location and in ambient mode. The ServiceEntry must + // be bound to a waypoint. Specified endpoints will be ignored. ServiceEntry_DYNAMIC_DNS ServiceEntry_Resolution = 4 ) diff --git a/networking/v1alpha3/service_entry.pb.html b/networking/v1alpha3/service_entry.pb.html index f6e8995aa2..5729fc61e8 100644 --- a/networking/v1alpha3/service_entry.pb.html +++ b/networking/v1alpha3/service_entry.pb.html @@ -616,14 +616,17 @@

Resolution

the Host header or SNI to an IP address when handling traffic. This is particularly useful when multiple dns addresses can be represented by a single wildcard host entry without having to explicitly -enumerate all possible endpoints. DYNAMIC_DNS resolution when -egressing the mesh returns the allocated VIP for the matching -wildcard hosts specified in the ServiceEntry. Depending on the -traffic type, the proxy will resolve the address specified in the -Hosts header or SNI of the proxied request. DYNAMIC_DNS is -only supported for wildcard hosts, MESH_EXTERNAL location and in -ambient mode. The ServiceEntry must be bound to a waypoint. Specified -endpoints will be ignored.

+enumerate all possible endpoints. During DNS proxying, ztunnel will +resolve all subdomains matching the wildcard host name to a VIP which +isn’t used for routing outside the mesh. DYNAMIC_DNS will provide +configuration to a waypoint proxy to recover the original host name +using information from SNI or a Host header in an HTTP Request. This +original host name will then be resolved so that traffic can be routed +to the intended IP address. This method of handling wildcard traffic +is not compatible with raw TCP traffic where the original host cannot +be recovered. DYNAMIC_DNS is only supported for wildcard hosts, +MESH_EXTERNAL location and in ambient mode. The ServiceEntry must +be bound to a waypoint. Specified endpoints will be ignored.

diff --git a/networking/v1alpha3/service_entry.proto b/networking/v1alpha3/service_entry.proto index 4bd633bfa8..649be37df2 100644 --- a/networking/v1alpha3/service_entry.proto +++ b/networking/v1alpha3/service_entry.proto @@ -565,14 +565,17 @@ message ServiceEntry { // the Host header or SNI to an IP address when handling traffic. This // is particularly useful when multiple dns addresses can be represented // by a single wildcard `host` entry without having to explicitly - // enumerate all possible endpoints. DYNAMIC_DNS resolution when - // egressing the mesh returns the allocated VIP for the matching - // wildcard `hosts` specified in the ServiceEntry. Depending on the - // traffic type, the proxy will resolve the address specified in the - // Hosts header or SNI of the proxied request. `DYNAMIC_DNS` is - // only supported for wildcard hosts, `MESH_EXTERNAL` location and in - // ambient mode. The ServiceEntry must be bound to a waypoint. Specified - // endpoints will be ignored. + // enumerate all possible endpoints. During DNS proxying, ztunnel will + // resolve all subdomains matching the wildcard host name to a VIP which + // isn't used for routing outside the mesh. `DYNAMIC_DNS` will provide + // configuration to a waypoint proxy to recover the original host name + // using information from SNI or a Host header in an HTTP Request. This + // original host name will then be resolved so that traffic can be routed + // to the intended IP address. This method of handling wildcard traffic + // is not compatible with raw TCP traffic where the original host cannot + // be recovered. `DYNAMIC_DNS` is only supported for wildcard hosts, + // `MESH_EXTERNAL` location and in ambient mode. The ServiceEntry must + // be bound to a waypoint. Specified endpoints will be ignored. DYNAMIC_DNS = 4; } diff --git a/networking/v1beta1/service_entry_alias.gen.go b/networking/v1beta1/service_entry_alias.gen.go index cccb6a883e..e6b2edbd20 100644 --- a/networking/v1beta1/service_entry_alias.gen.go +++ b/networking/v1beta1/service_entry_alias.gen.go @@ -104,14 +104,17 @@ const ServiceEntry_DNS_ROUND_ROBIN ServiceEntry_Resolution = v1alpha3.ServiceEnt // the Host header or SNI to an IP address when handling traffic. This // is particularly useful when multiple dns addresses can be represented // by a single wildcard `host` entry without having to explicitly -// enumerate all possible endpoints. DYNAMIC_DNS resolution when -// egressing the mesh returns the allocated VIP for the matching -// wildcard `hosts` specified in the ServiceEntry. Depending on the -// traffic type, the proxy will resolve the address specified in the -// Hosts header or SNI of the proxied request. `DYNAMIC_DNS` is -// only supported for wildcard hosts, `MESH_EXTERNAL` location and in -// ambient mode. The ServiceEntry must be bound to a waypoint. Specified -// endpoints will be ignored. +// enumerate all possible endpoints. During DNS proxying, ztunnel will +// resolve all subdomains matching the wildcard host name to a VIP which +// isn't used for routing outside the mesh. `DYNAMIC_DNS` will provide +// configuration to a waypoint proxy to recover the original host name +// using information from SNI or a Host header in an HTTP Request. This +// original host name will then be resolved so that traffic can be routed +// to the intended IP address. This method of handling wildcard traffic +// is not compatible with raw TCP traffic where the original host cannot +// be recovered. `DYNAMIC_DNS` is only supported for wildcard hosts, +// `MESH_EXTERNAL` location and in ambient mode. The ServiceEntry must +// be bound to a waypoint. Specified endpoints will be ignored. const ServiceEntry_DYNAMIC_DNS ServiceEntry_Resolution = v1alpha3.ServiceEntry_DYNAMIC_DNS // ServicePort describes the properties of a specific port of a service. From 3b2992d8999c279cbc23552be9c1d8a2d1c8382e Mon Sep 17 00:00:00 2001 From: Jackie Elliott Date: Tue, 23 Sep 2025 20:00:24 +0000 Subject: [PATCH 9/9] Clarify intended use Signed-off-by: Jackie Elliott --- networking/v1/service_entry_alias.gen.go | 20 +++++++++---------- networking/v1alpha3/service_entry.pb.go | 20 +++++++++---------- networking/v1alpha3/service_entry.pb.html | 20 +++++++++---------- networking/v1alpha3/service_entry.proto | 20 +++++++++---------- networking/v1beta1/service_entry_alias.gen.go | 20 +++++++++---------- 5 files changed, 50 insertions(+), 50 deletions(-) diff --git a/networking/v1/service_entry_alias.gen.go b/networking/v1/service_entry_alias.gen.go index 18aa51a1e6..4f459d5336 100644 --- a/networking/v1/service_entry_alias.gen.go +++ b/networking/v1/service_entry_alias.gen.go @@ -102,16 +102,16 @@ const ServiceEntry_DNS_ROUND_ROBIN ServiceEntry_Resolution = v1alpha3.ServiceEnt // DYNAMIC_DNS will attempt to resolve the host name specified in // the Host header or SNI to an IP address when handling traffic. This -// is particularly useful when multiple dns addresses can be represented -// by a single wildcard `host` entry without having to explicitly -// enumerate all possible endpoints. During DNS proxying, ztunnel will -// resolve all subdomains matching the wildcard host name to a VIP which -// isn't used for routing outside the mesh. `DYNAMIC_DNS` will provide -// configuration to a waypoint proxy to recover the original host name -// using information from SNI or a Host header in an HTTP Request. This -// original host name will then be resolved so that traffic can be routed -// to the intended IP address. This method of handling wildcard traffic -// is not compatible with raw TCP traffic where the original host cannot +// allows multiple DNS addresses to be represented by a single wildcard +// `host` entry without having to explicitly enumerate all possible +// endpoints. During DNS proxying, ztunnel will resolve all subdomains +// matching the wildcard host name to a VIP which isn't used for routing +// outside the mesh. `DYNAMIC_DNS` will provide configuration to a +// waypoint proxy to recover the original host name using information +// from SNI or a Host header in an HTTP Request. This original host name +// will then be resolved so that traffic can be routed to the intended +// IP address. This method of handling wildcard traffic is not +// compatible with raw TCP traffic where the original host cannot // be recovered. `DYNAMIC_DNS` is only supported for wildcard hosts, // `MESH_EXTERNAL` location and in ambient mode. The ServiceEntry must // be bound to a waypoint. Specified endpoints will be ignored. diff --git a/networking/v1alpha3/service_entry.pb.go b/networking/v1alpha3/service_entry.pb.go index c4ed91d033..5069fa1c72 100644 --- a/networking/v1alpha3/service_entry.pb.go +++ b/networking/v1alpha3/service_entry.pb.go @@ -519,16 +519,16 @@ const ( ServiceEntry_DNS_ROUND_ROBIN ServiceEntry_Resolution = 3 // DYNAMIC_DNS will attempt to resolve the host name specified in // the Host header or SNI to an IP address when handling traffic. This - // is particularly useful when multiple dns addresses can be represented - // by a single wildcard `host` entry without having to explicitly - // enumerate all possible endpoints. During DNS proxying, ztunnel will - // resolve all subdomains matching the wildcard host name to a VIP which - // isn't used for routing outside the mesh. `DYNAMIC_DNS` will provide - // configuration to a waypoint proxy to recover the original host name - // using information from SNI or a Host header in an HTTP Request. This - // original host name will then be resolved so that traffic can be routed - // to the intended IP address. This method of handling wildcard traffic - // is not compatible with raw TCP traffic where the original host cannot + // allows multiple DNS addresses to be represented by a single wildcard + // `host` entry without having to explicitly enumerate all possible + // endpoints. During DNS proxying, ztunnel will resolve all subdomains + // matching the wildcard host name to a VIP which isn't used for routing + // outside the mesh. `DYNAMIC_DNS` will provide configuration to a + // waypoint proxy to recover the original host name using information + // from SNI or a Host header in an HTTP Request. This original host name + // will then be resolved so that traffic can be routed to the intended + // IP address. This method of handling wildcard traffic is not + // compatible with raw TCP traffic where the original host cannot // be recovered. `DYNAMIC_DNS` is only supported for wildcard hosts, // `MESH_EXTERNAL` location and in ambient mode. The ServiceEntry must // be bound to a waypoint. Specified endpoints will be ignored. diff --git a/networking/v1alpha3/service_entry.pb.html b/networking/v1alpha3/service_entry.pb.html index 5729fc61e8..dcd7b3b73c 100644 --- a/networking/v1alpha3/service_entry.pb.html +++ b/networking/v1alpha3/service_entry.pb.html @@ -614,16 +614,16 @@

Resolution

DYNAMIC_DNS will attempt to resolve the host name specified in the Host header or SNI to an IP address when handling traffic. This -is particularly useful when multiple dns addresses can be represented -by a single wildcard host entry without having to explicitly -enumerate all possible endpoints. During DNS proxying, ztunnel will -resolve all subdomains matching the wildcard host name to a VIP which -isn’t used for routing outside the mesh. DYNAMIC_DNS will provide -configuration to a waypoint proxy to recover the original host name -using information from SNI or a Host header in an HTTP Request. This -original host name will then be resolved so that traffic can be routed -to the intended IP address. This method of handling wildcard traffic -is not compatible with raw TCP traffic where the original host cannot +allows multiple DNS addresses to be represented by a single wildcard +host entry without having to explicitly enumerate all possible +endpoints. During DNS proxying, ztunnel will resolve all subdomains +matching the wildcard host name to a VIP which isn’t used for routing +outside the mesh. DYNAMIC_DNS will provide configuration to a +waypoint proxy to recover the original host name using information +from SNI or a Host header in an HTTP Request. This original host name +will then be resolved so that traffic can be routed to the intended +IP address. This method of handling wildcard traffic is not +compatible with raw TCP traffic where the original host cannot be recovered. DYNAMIC_DNS is only supported for wildcard hosts, MESH_EXTERNAL location and in ambient mode. The ServiceEntry must be bound to a waypoint. Specified endpoints will be ignored.

diff --git a/networking/v1alpha3/service_entry.proto b/networking/v1alpha3/service_entry.proto index 649be37df2..88df4203bd 100644 --- a/networking/v1alpha3/service_entry.proto +++ b/networking/v1alpha3/service_entry.proto @@ -563,16 +563,16 @@ message ServiceEntry { // DYNAMIC_DNS will attempt to resolve the host name specified in // the Host header or SNI to an IP address when handling traffic. This - // is particularly useful when multiple dns addresses can be represented - // by a single wildcard `host` entry without having to explicitly - // enumerate all possible endpoints. During DNS proxying, ztunnel will - // resolve all subdomains matching the wildcard host name to a VIP which - // isn't used for routing outside the mesh. `DYNAMIC_DNS` will provide - // configuration to a waypoint proxy to recover the original host name - // using information from SNI or a Host header in an HTTP Request. This - // original host name will then be resolved so that traffic can be routed - // to the intended IP address. This method of handling wildcard traffic - // is not compatible with raw TCP traffic where the original host cannot + // allows multiple DNS addresses to be represented by a single wildcard + // `host` entry without having to explicitly enumerate all possible + // endpoints. During DNS proxying, ztunnel will resolve all subdomains + // matching the wildcard host name to a VIP which isn't used for routing + // outside the mesh. `DYNAMIC_DNS` will provide configuration to a + // waypoint proxy to recover the original host name using information + // from SNI or a Host header in an HTTP Request. This original host name + // will then be resolved so that traffic can be routed to the intended + // IP address. This method of handling wildcard traffic is not + // compatible with raw TCP traffic where the original host cannot // be recovered. `DYNAMIC_DNS` is only supported for wildcard hosts, // `MESH_EXTERNAL` location and in ambient mode. The ServiceEntry must // be bound to a waypoint. Specified endpoints will be ignored. diff --git a/networking/v1beta1/service_entry_alias.gen.go b/networking/v1beta1/service_entry_alias.gen.go index e6b2edbd20..210b52c62c 100644 --- a/networking/v1beta1/service_entry_alias.gen.go +++ b/networking/v1beta1/service_entry_alias.gen.go @@ -102,16 +102,16 @@ const ServiceEntry_DNS_ROUND_ROBIN ServiceEntry_Resolution = v1alpha3.ServiceEnt // DYNAMIC_DNS will attempt to resolve the host name specified in // the Host header or SNI to an IP address when handling traffic. This -// is particularly useful when multiple dns addresses can be represented -// by a single wildcard `host` entry without having to explicitly -// enumerate all possible endpoints. During DNS proxying, ztunnel will -// resolve all subdomains matching the wildcard host name to a VIP which -// isn't used for routing outside the mesh. `DYNAMIC_DNS` will provide -// configuration to a waypoint proxy to recover the original host name -// using information from SNI or a Host header in an HTTP Request. This -// original host name will then be resolved so that traffic can be routed -// to the intended IP address. This method of handling wildcard traffic -// is not compatible with raw TCP traffic where the original host cannot +// allows multiple DNS addresses to be represented by a single wildcard +// `host` entry without having to explicitly enumerate all possible +// endpoints. During DNS proxying, ztunnel will resolve all subdomains +// matching the wildcard host name to a VIP which isn't used for routing +// outside the mesh. `DYNAMIC_DNS` will provide configuration to a +// waypoint proxy to recover the original host name using information +// from SNI or a Host header in an HTTP Request. This original host name +// will then be resolved so that traffic can be routed to the intended +// IP address. This method of handling wildcard traffic is not +// compatible with raw TCP traffic where the original host cannot // be recovered. `DYNAMIC_DNS` is only supported for wildcard hosts, // `MESH_EXTERNAL` location and in ambient mode. The ServiceEntry must // be bound to a waypoint. Specified endpoints will be ignored.