Skip to content

Add support for wildcard specifiers anywhere in SNI pattern #1698

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
fristonio wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add support for wildcard specifiers anywhere in SNI pattern #1698

fristonio wants to merge 1 commit into from

Conversation

@fristonio
Copy link
Member

@fristonio fristonio commented Jan 12, 2026

See commit message for more details.

Extends: #1242
Fixes: cilium/cilium#43597

@fristonio fristonio requested a review from a team as a code owner January 12, 2026 10:21
@fristonio fristonio requested a review from jrajahalme January 12, 2026 10:21
@fristonio fristonio mentioned this pull request Jan 12, 2026
Closed
@fristonio fristonio requested a review from squeed January 12, 2026 19:29
@squeed squeed requested a review from nezdolik January 13, 2026 15:11
@squeed
Copy link

squeed commented Jan 13, 2026

So, @fristonio and I were chatting about this, and I wondered if we should convert to regex in the agent and send that to the proxy.

Pros:

  • No risk of divergent implementations
  • Easier changes in the future

Cons:

  • requires a new protobuf field for upgrade compat

I'm not sure what the general practice is for c/proxy here.

@squeed
Copy link

squeed commented Jan 13, 2026

Conclusion: because spinning a new proto type is annoying, we'll implement it as-is.

squeed
squeed approved these changes Jan 15, 2026
View reviewed changes
Copy link

@squeed squeed left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

great tests!

@fristonio
sni: add support for wildcard specifiers anywhere in the pattern
5620d48 
This commit adds support for specifying wildcard('*') anywhere in the
server names match pattern. This allow users to write more compressed
network policies and is inline with what cilium/cilium supports for FQDN
match patterns.
With this change users can now write allowed server names as:

- '**.cilium.io': Existing behavior which matches any number of
  subdomain levels in the prefix. "test.cilium.io" and
  "test.app.cilium.io" matches but "cilium.io" does not.

- '*.cilium.io': Existing behavior which matches all subdomains of
  cilium.io on a single level. "test.cilium.io" matches but
  "test.app.cilium.io" and "cilium.io" do not.

- 'sub*.cilium.io': Matches subdomains of cilium.io where the subdomain
  component begins with "sub"(only one level). "sub.cilium.io" and
  "subdomain.cilium.io" matches wile "www.cilium.io", "cilium.io" and
  "test.subdomain.cilium.io" do not.

SNI match patterns are now implemented using regular expressions. The
required regex is derived and compiled once during xDS configuration
update.
If the match pattern doesn't contain any wildcard specifier the
implementation relies on explicit full string match.

Signed-off-by: Deepesh Pathak <[email protected]>
@fristonio fristonio force-pushed the pr/fristonio/add-server-name-proto-validation branch from d9c7a5e to 5620d48 Compare January 15, 2026 17:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@squeed squeed squeed approved these changes

@jrajahalme jrajahalme Awaiting requested review from jrajahalme jrajahalme is a code owner automatically assigned from cilium/envoy

@nezdolik nezdolik Awaiting requested review from nezdolik

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

SNI ServerName wildcard doesn't match toFQDNs MatchPattern

2 participants

@fristonio @squeed