Skip to content

Add support for wildcard specifiers anywhere in SNI pattern #1693

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
fristonio wants to merge 1 commit into from
Closed

Add support for wildcard specifiers anywhere in SNI pattern #1693

fristonio wants to merge 1 commit into from

Conversation

@fristonio
Copy link
Member

@fristonio fristonio commented Jan 11, 2026

See commit message for more details.

Extends: #1242
Fixes: cilium/cilium#43597

@fristonio fristonio requested a review from a team as a code owner January 11, 2026 05:54
@fristonio fristonio requested a review from sayboras January 11, 2026 05:54
fristonio
fristonio commented Jan 11, 2026
View reviewed changes
@fristonio
sni: add support for wildcard specifiers anywhere in the pattern
d9c7a5e 
This commit adds support for specifying wildcard('*') anywhere in the
server names match pattern. This allow users to write more compressed
network policies and is inline with what cilium/cilium supports for FQDN
match patterns.
With this change users can now write allowed server names as:

- '**.cilium.io': Existing behavior which matches any number of
  subdomain levels in the prefix. "test.cilium.io" and
  "test.app.cilium.io" matches but "cilium.io" does not.

- '*.cilium.io': Existing behavior which matches all subdomains of
  cilium.io on a single level. "test.cilium.io" matches but
  "test.app.cilium.io" and "cilium.io" do not.

- 'sub*.cilium.io': Matches subdomains of cilium.io where the subdomain
  component begins with "sub"(only one level). "sub.cilium.io" and
  "subdomain.cilium.io" matches wile "www.cilium.io", "cilium.io" and
  "test.subdomain.cilium.io" do not.

SNI match patterns are now implemented using regular expressions. The
required regex is derived and compiled once during xDS configuration
update.
If the match pattern doesn't contain any wildcard specifier the
implementation relies on explicit full string match.

Signed-off-by: Deepesh Pathak <deepesh.pathak@isovalent.com>
@fristonio fristonio force-pushed the pr/fristonio/sni-pattern-wildcarding branch from 4bc4d2f to d9c7a5e Compare January 11, 2026 06:07
@fristonio fristonio changed the title Add support for wildcard specifiers anywhere in the pattern Add support for wildcard specifiers anywhere in SNI pattern Jan 11, 2026
@fristonio fristonio mentioned this pull request Jan 11, 2026
Draft
@sayboras sayboras requested a review from jrajahalme January 11, 2026 12:56
@sayboras sayboras closed this Jan 12, 2026
@sayboras sayboras reopened this Jan 12, 2026
@fristonio
Copy link
Member Author

fristonio commented Jan 12, 2026

Closing in favor of - #1698

@fristonio fristonio closed this Jan 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sayboras sayboras Awaiting requested review from sayboras sayboras is a code owner automatically assigned from cilium/envoy

@jrajahalme jrajahalme Awaiting requested review from jrajahalme

Assignees

No one assigned

Labels

kind/enhancement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

SNI ServerName wildcard doesn't match toFQDNs MatchPattern

2 participants

@fristonio @sayboras