MINOR: add domain wildcard SNI map file

ivanmatmati · oktalz · commit f687af05f2aa · 2025-11-28T09:29:40.000Z
diff --git a/k8s/gate/haproxy/frontends.go b/k8s/gate/haproxy/frontends.go
@@ -234,12 +234,14 @@ func (b *HaproxyConfMgrImpl) newFrontend(params newFrontendParams) (*models.Fron
 	pathDomainWPathExactMap := b.params.mapsStorage.MapPath(frontendName, storage.PATH_EXACT_DOMAIN_WILDCARD_MAP)
 	pathRegexMap := b.params.mapsStorage.MapPath(frontendName, storage.PATH_REGEX_MAP)
 	sniMap := b.params.mapsStorage.MapPath(frontendName, storage.SNI_MAP)
+	sniDomainWildcardMap := b.params.mapsStorage.MapPath(frontendName, storage.SNI_DOMAIN_WILDCARD_MAP)
 
 	b.params.mapsStorage.EnsureMapData(pathExactMap)
 	b.params.mapsStorage.EnsureMapData(pathPrefixMap)
 	b.params.mapsStorage.EnsureMapData(pathRegexMap)
 	b.params.mapsStorage.EnsureMapData(pathDomainWPathExactMap)
 	b.params.mapsStorage.EnsureMapData(sniMap)
+	b.params.mapsStorage.EnsureMapData(sniDomainWildcardMap)
 
 	var tcpRules []*models.TCPRequestRule
 	var httpRules []*models.HTTPRequestRule
@@ -277,11 +279,12 @@ func (b *HaproxyConfMgrImpl) newFrontend(params newFrontendParams) (*models.Fron
 			},
 			{
 				// tcp-request content set-var(txn.sni_match) req_ssl_sni,regsub(^[^.]*,,),map(sni.map)
+				// tcp-request content set-var(txn.sni_match,ifnotexists) req_ssl_sni,map_end(sniDomainWildcardMap.map)
 				Type:     "content",
 				Action:   "set-var",
 				VarName:  "sni_match",
 				VarScope: "txn",
-				Expr:     "req_ssl_sni,regsub(^[^.]*,,),map(" + sniMap.FullPath() + ")",
+				Expr:     "req_ssl_sni,map_end(" + sniDomainWildcardMap.FullPath() + ")",
 			},
 			{
 				// http-request lua.route if route_is_json
diff --git a/k8s/gate/haproxy/routes-maps.go b/k8s/gate/haproxy/routes-maps.go
@@ -65,16 +65,18 @@ func (b *RouteMgrImpl) fillMapsForTLSRoutes() {
 
 				pathSNIMap := mapsStorage.MapPath(frontendName, storage.SNI_MAP)
 				mapSNIMap := mapsStorage.GetMapData(pathSNIMap)
-				err = b.onDeletedTLSRoute(routeKey, route, mapSNIMap)
+				pathSNIDomainWildcardMap := mapsStorage.MapPath(frontendName, storage.SNI_DOMAIN_WILDCARD_MAP)
+				mapSNIDomainWildcardMap := mapsStorage.GetMapData(pathSNIDomainWildcardMap)
+				err = b.onDeletedTLSRoute(routeKey, route, mapSNIMap, mapSNIDomainWildcardMap)
 				// errs.Add(err)
 				_ = err // TODO ignore error for now
 			}
 		}
 	}
 	// Managed TLSRoutes => Create / update/ delete backends
 	for routeKey, route := range controllerStore.GateTree.TLSRoutes {
-		for _, listeners := range route.Listeners.Iterate {
-			for _, listener := range listeners {
+		for _, listener := range route.Listeners.Iterate {
+			for _, listener := range listener {
 				frontendName, err := b.topManager.getFrontendName(listener.Owner, listener.K8sResource)
 				if err != nil {
 					b.topManager.logger.LogAttrs(context.Background(), slog.LevelError, "Failed to get frontend name",
@@ -86,15 +88,16 @@ func (b *RouteMgrImpl) fillMapsForTLSRoutes() {
 				acceptedHostnamesForRoute := utils.MatchTLSHostnames(listenerHostname, routesHosnames)
 				pathSNIMap := mapsStorage.MapPath(frontendName, storage.SNI_MAP)
 				mapSNIMap := mapsStorage.GetMapData(pathSNIMap)
-
+				pathSNIDomainWildcardMap := mapsStorage.MapPath(frontendName, storage.SNI_DOMAIN_WILDCARD_MAP)
+				mapSNIDomainWildcardMap := mapsStorage.GetMapData(pathSNIDomainWildcardMap)
 				switch route.TreeStatus.Status {
 				case store.StatusUnchanged:
 					continue
 				case store.StatusUpserted:
-					err := b.onUpsertedTLSRoute(routeKey, route, mapSNIMap, acceptedHostnamesForRoute)
+					err := b.onUpsertedTLSRoute(routeKey, route, mapSNIMap, mapSNIDomainWildcardMap, acceptedHostnamesForRoute)
 					errs.Add(err)
 				case store.StatusDeleted:
-					err := b.onDeletedTLSRoute(routeKey, route, mapSNIMap)
+					err := b.onDeletedTLSRoute(routeKey, route, mapSNIMap, mapSNIDomainWildcardMap)
 					errs.Add(err)
 				}
 			}
diff --git a/k8s/gate/haproxy/routes.go b/k8s/gate/haproxy/routes.go
@@ -62,16 +62,16 @@ func (b *RouteMgrImpl) onUpsertedHTTPRoute(routeKey k8stypes.NamespacedName, rou
 }
 
 func (b *RouteMgrImpl) onUpsertedTLSRoute(routeKey k8stypes.NamespacedName, route *tree.TLSRoute,
-	sni *maps.MapData, acceptedHostnamesForRoute []string,
+	mapSNI, mapSNIDomainWildcardMap *maps.MapData, acceptedHostnamesForRoute []string,
 ) error {
 	if route.Valid {
-		return b.onValidTLSRouteUpserted(routeKey, route, sni, acceptedHostnamesForRoute)
+		return b.onValidTLSRouteUpserted(routeKey, route, mapSNI, mapSNIDomainWildcardMap, acceptedHostnamesForRoute)
 	}
-	return b.onInvalidTLSRouteUpserted(routeKey, route, sni)
+	return b.onInvalidTLSRouteUpserted(routeKey, route, mapSNI, mapSNIDomainWildcardMap)
 }
 
 func (b *RouteMgrImpl) onValidTLSRouteUpserted(_ k8stypes.NamespacedName,
-	tlsRoute *tree.TLSRoute, mapSNI *maps.MapData, acceptedHostnamesForRoute []string,
+	tlsRoute *tree.TLSRoute, mapSNI, mapSNIDomainWildcardMap *maps.MapData, acceptedHostnamesForRoute []string,
 ) error {
 	for _, tlsRouteRule := range tlsRoute.Rules {
 		// if !rule.Valid {
@@ -136,7 +136,11 @@ func (b *RouteMgrImpl) onValidTLSRouteUpserted(_ k8stypes.NamespacedName,
 
 		for _, hostname := range acceptedHostnamesForRoute {
 			if tlsRouteRule.Valid {
-				mapSNI.AddData(string(hostname), routeValue)
+				if isDomainWildcard(string(hostname)) {
+					mapSNIDomainWildcardMap.AddData(string(hostname), routeValue)
+				} else {
+					mapSNI.AddData(string(hostname), routeValue)
+				}
 				hostnamesInserted[string(hostname)] = struct{}{}
 			} else if _, ok := hostnamesInserted[string(hostname)]; !ok {
 				mapSNI.DeleteData(string(hostname))
@@ -146,17 +150,21 @@ func (b *RouteMgrImpl) onValidTLSRouteUpserted(_ k8stypes.NamespacedName,
 	return nil
 }
 
-func (RouteMgrImpl) onInvalidTLSRouteUpserted(_ k8stypes.NamespacedName, _ *tree.TLSRoute, _ *maps.MapData) error {
+func (RouteMgrImpl) onInvalidTLSRouteUpserted(_ k8stypes.NamespacedName, _ *tree.TLSRoute, _, _ *maps.MapData) error {
 	// TODO we might need to remove it from the maps
 	return nil
 }
 
 func (RouteMgrImpl) onDeletedTLSRoute(_ k8stypes.NamespacedName, route *tree.TLSRoute,
-	mapSNI *maps.MapData,
+	mapSNI *maps.MapData, mapSNIDomainWildcard *maps.MapData,
 ) error {
 	hostnames := route.K8sResource.Spec.Hostnames
 	for _, hostname := range hostnames {
-		mapSNI.DeleteData(string(hostname))
+		if isDomainWildcard(string(hostname)) {
+			mapSNIDomainWildcard.DeleteData(string(hostname))
+		} else {
+			mapSNI.DeleteData(string(hostname))
+		}
 	}
 	return nil
 }
diff --git a/k8s/gate/haproxy/storage/maps.go b/k8s/gate/haproxy/storage/maps.go
@@ -34,6 +34,7 @@ const (
 	PATH_PREFIX_MAP                = "path_prefix"
 	PATH_REGEX_MAP                 = "path_regex"
 	SNI_MAP                        = "sni"
+	SNI_DOMAIN_WILDCARD_MAP        = "domain_wildcard_sni"
 )
 
 //revive:enable:var-naming

Original file line number	Diff line number	Diff line change
`@@ -34,6 +34,7 @@ const (`
`34`	`34`	`PATH_PREFIX_MAP = "path_prefix"`
`35`	`35`	`PATH_REGEX_MAP = "path_regex"`
`36`	`36`	`SNI_MAP = "sni"`
	`37`	`+ SNI_DOMAIN_WILDCARD_MAP = "domain_wildcard_sni"`
`37`	`38`	`)`
`38`	`39`
`39`	`40`	`//revive:enable:var-naming`