ServiceEntry with invalid host name (partial wildcard) is not blocked by admission validation

[rtmie]

Bug Description

Validating webhook does not block creation of a service entry with an invalid hostname wildcard.
Once this SE is admitted it breaks pilot-agent startup on a new proxy start.

example of bad service entry:

apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  annotations: {}
  name: nytimes
  namespace: istio-system
spec:
  hosts:
    - '*.nytimes.com'
    - '*washingtonpost.com'
  location: MESH_EXTERNAL
  ports:
    - name: https-nytimes
      number: 443
      protocol: HTTPS
  resolution: NONE

After this is admitted errors occur in proxy startup:

from envoy:

{"level":"warning","time":"2023-03-31T10:07:31.410110Z","scope":"envoy config","msg":"gRPC config for type
.googleapis.com/envoy.config.listener.v3.Listener rejected: Error adding/updating listener(s) 0.0.0.0_443:
 error adding listener '0.0.0.0:443': partial wildcards are not supported in \"server_names\"\n"}

and from the agent

{"level":"warn","time":"2023-03-31T10:07:31.770542Z","msg":"Envoy proxy is NOT ready: config received from
 XDS server, but was rejected: cds updates: 1 successful, 0 rejected; lds updates: 0 successful, 1 rejecte
d"}

then the agent terminates and retries, pod goes into CrashLoopBackoff

Version

$ istioctl version
client version: 1.15.5
control plane version: 1.15
data plane version: 1.15.3 (104 proxies)

$ kc version --short
Client Version: v1.21.9
Server Version: v1.21.9

Additional Information

No response

[wulianglongrd]

from the written test cases, this is the expected result. But it seems that this test case is wrong? Not only SE, DR/Sidecar/VS... share this validate rule (maybe slightly different).

see here:

istio/pkg/config/validation/validation_test.go

Line 115 in b7490d9

{"wildcard prefix", "*foo.bar.com", ""},

[howardjohn]

I recall this being fixed...

[ramaraochavali]

I think we have fixed this for gateway/sidecar but not for SEs