Skip to content

Add support for wildcard specifier anywhere in SNI pattern#43674

Merged
fristonio merged 3 commits intocilium:mainfrom
fristonio:pr/fristonio/sni-pattern-wildcard-support
Feb 17, 2026
Merged

Add support for wildcard specifier anywhere in SNI pattern#43674
fristonio merged 3 commits intocilium:mainfrom
fristonio:pr/fristonio/sni-pattern-wildcard-support

Conversation

@fristonio
Copy link
Copy Markdown
Member

@fristonio fristonio commented Jan 11, 2026

See commit message for more details.

Depends On: cilium/proxy#1693
Fixes #43597

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jan 11, 2026
@github-actions github-actions bot added the sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. label Jan 11, 2026
@fristonio fristonio added area/proxy Impacts proxy components, including DNS, Kafka, Envoy and/or XDS servers. release-note/minor This PR changes functionality that users may find relevant to operating Cilium. labels Jan 11, 2026
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jan 11, 2026
@joestringer joestringer added dont-merge/wait-until-release Freeze window for current release is blocking non-bugfix PRs upgrade-impact This PR has potential upgrade or downgrade impact. labels Jan 12, 2026
@aanm aanm removed the dont-merge/wait-until-release Freeze window for current release is blocking non-bugfix PRs label Jan 14, 2026
@fristonio fristonio force-pushed the pr/fristonio/sni-pattern-wildcard-support branch 2 times, most recently from e52154f to f199c81 Compare February 10, 2026 23:53
@fristonio
Copy link
Copy Markdown
Member Author

fristonio commented Feb 13, 2026

/test

@fristonio fristonio marked this pull request as ready for review February 13, 2026 17:00
@fristonio fristonio requested review from a team as code owners February 13, 2026 17:00
@fristonio fristonio force-pushed the pr/fristonio/sni-pattern-wildcard-support branch from c5c65a5 to ad6442b Compare February 13, 2026 20:00
@fristonio fristonio requested review from a team as code owners February 13, 2026 20:00
@fristonio
Copy link
Copy Markdown
Member Author

fristonio commented Feb 13, 2026
edited
Loading

/test
ci-integration is failing due to a minor bug in Kuberentes ClusterNetworkPolicy parsing introduced with - #42338
Edit: Fixed with 8ef4d59

derailed
derailed approved these changes Feb 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@derailed derailed left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@fristonio Nice work!

@fristonio fristonio force-pushed the pr/fristonio/sni-pattern-wildcard-support branch from ad6442b to 8652f49 Compare February 13, 2026 23:23
@fristonio
Copy link
Copy Markdown
Member Author

fristonio commented Feb 13, 2026

/test

aanm
aanm approved these changes Feb 16, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@aanm aanm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, the only missing thing is the bump in the CRD schema

@fristonio
policy: add support for wildcard specifier anywhere in sni pattern
dfaec59 
This commit relaxes k8s api validation pattern for server names in
policy api to allow wildcard specifiers anywhere in SNI pattern.
This allows users to write more compressed network policies and is
inline with the syntax supported in FQDN match pattern.

With this change users can now specify allowed server names with
wildcard as:

- '**.cilium.io': Existing behavior which matches any number of
  subdomain levels in the prefix. "test.cilium.io" and
  "test.app.cilium.io" matches but "cilium.io" does not.

- '*.cilium.io': Existing behavior which matches all subdomains of
  cilium.io on a single level. "test.cilium.io" matches but
  "test.app.cilium.io" and "cilium.io" do not.

- 'sub*.cilium.io': Matches subdomains of cilium.io where the subdomain
  component begins with "sub"(only one level). "sub.cilium.io" and
  "subdomain.cilium.io" matches wile "www.cilium.io", "cilium.io" and
  "test.subdomain.cilium.io" do not.

  Additionally this commit introduces a new helper function used to
  sanitize server names pattern when converting to envoy protobuf. This
  is required because cilium-envoy doesn't support the same semantics
  for match pattern syntax as DNS match pattern in cilium-agent.

Signed-off-by: Deepesh Pathak <deepesh.pathak@isovalent.com>
@fristonio
cli: add connectivity test for tls sni pattern with random wildcard
57da8d4 
Signed-off-by: Deepesh Pathak <deepesh.pathak@isovalent.com>
@fristonio
deps: update cilium-envoy image
6ec04cb 
Signed-off-by: Deepesh Pathak <deepesh.pathak@isovalent.com>
@fristonio fristonio force-pushed the pr/fristonio/sni-pattern-wildcard-support branch from 8652f49 to 6ec04cb Compare February 16, 2026 19:20
@fristonio
Copy link
Copy Markdown
Member Author

fristonio commented Feb 16, 2026

/test

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Feb 17, 2026
@gandro gandro added this pull request to the merge queue Feb 17, 2026
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to no response for status checks Feb 17, 2026
@fristonio fristonio added this pull request to the merge queue Feb 17, 2026
Merged via the queue into cilium:main with commit aae64f0 Feb 17, 2026
79 of 81 checks passed
@fristonio fristonio deleted the pr/fristonio/sni-pattern-wildcard-support branch February 17, 2026 17:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@derailed derailed derailed approved these changes

@gandro gandro gandro approved these changes

@squeed squeed squeed approved these changes

@christarazi christarazi christarazi approved these changes

@aanm aanm aanm approved these changes

@jrajahalme jrajahalme jrajahalme approved these changes

@mhofstetter mhofstetter mhofstetter approved these changes

Assignees

No one assigned

Labels

area/proxy Impacts proxy components, including DNS, Kafka, Envoy and/or XDS servers. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/minor This PR changes functionality that users may find relevant to operating Cilium. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. upgrade-impact This PR has potential upgrade or downgrade impact.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

SNI ServerName wildcard doesn't match toFQDNs MatchPattern

10 participants

@fristonio @derailed @gandro @squeed @christarazi @aanm @jrajahalme @mhofstetter @joestringer @msune