Istio validatingWebhook doesn't catch Partial wildcards

[bvandewalle]

Bug Description

The following gateway object got added on one of our clusters:

- apiVersion: networking.istio.io/v1beta1
  kind: Gateway
  metadata:
    name: myservice
    namespace: istio-gateway
  spec:
    selector:
      istio: ingressgateway-internal
    servers:
    - hosts:
      - api.myservice.com
      - api2.myservice.com
      - '*-mr.api.myservice.com'
      port:
        name: myservice
        number: 443
        protocol: HTTPS
      tls:
        credentialName: myservice-cert
        minProtocolVersion: TLSV1_2
        mode: SIMPLE

As a result we saw the gateway pods going down with the following error:

2022-11-21T13:28:44.924187Z	warn	ads	ADS:LDS: ACK ERROR istio-ingressgateway-internal-5bccbf9cdf-mhsqx.istio-gateway-624 Internal:Error adding/updating listener(s) 0.0.0.0_443: error adding listener '0.0.0.0:443': partial wildcards are not supported in "server_names"
2022-11-21T18:28:17.981950Z	warn	Envoy proxy is NOT ready: config received from XDS server, but was rejected: cds updates: 102 successful, 0 rejected; lds updates: 0 successful, 102 rejected

This is because the hostname in the gateway object got added with a partial wildcard:

'*-mr.api.myservice.com'

Fix: This gateway object should have been denied by the validatingWebHook. Would be happy to push a fix for this if we agree that's the way to do it.

Relates to another similar report: #38343 (though that one was for a ServiceEntry).

Version

$ istioctl version
client version: 1.14.1
control plane version: 1.14.1
data plane version: 1.14.1 (324 proxies)

### Additional Information

_No response_

[bvandewalle]

Actually some work started on this but went stale: #38432

[chaunceyjiang]

I want to /assign, I am a newbie.I will try to find the cause of this problem. I'm not sure I can fix it

[zirain]

/assign chaunceyjiang