Add DYNAMIC_DNS resolution type for wildcard hosts (#3565)

* Add new resolution type to support wildcard hosts

- Defines DELAYED_DNS

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>

* Use Dynamic DNS instead of delayed

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>

* Clarify ambient only support and waypoint bound requirement

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>

* Remove more complex kubebuild directive for the wildcard host
validation

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>

* Add release note

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>

* Fix nits

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>

* Respond to comments

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>

* Clarify impact of dynamic dns on captured dns

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>

* Clarify intended use

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>

---------

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>

Author: jaellio

kubernetes/customresourcedefinitions.gen.yaml

@@ -560,6 +560,23 @@ message ServiceEntry {
     // specified in the hosts field, if wildcards are not used. DNS resolution
     // cannot be used with Unix domain socket endpoints.
     DNS_ROUND_ROBIN = 3;
+
+    // DYNAMIC_DNS will attempt to resolve the host name specified in
+    // the Host header or SNI to an IP address when handling traffic. This
+    // allows multiple DNS addresses to be represented by a single wildcard
+    // `host` entry without having to explicitly enumerate all possible
+    // endpoints. During DNS proxying, ztunnel will resolve all subdomains
+    // matching the wildcard host name to a VIP which isn't used for routing
+    // outside the mesh. `DYNAMIC_DNS` will provide configuration to a
+    // waypoint proxy to recover the original host name using information
+    // from SNI or a Host header in an HTTP Request. This original host name
+    // will then be resolved so that traffic can be routed to the intended
+    // IP address. This method of handling wildcard traffic is not
+    // compatible with raw TCP traffic where the original host cannot
+    // be recovered. `DYNAMIC_DNS` is only supported for wildcard hosts,
+    // `MESH_EXTERNAL` location and in ambient mode. The ServiceEntry must
+    // be bound to a waypoint. Specified endpoints will be ignored.
+    DYNAMIC_DNS = 4;
   }
 
   // Service resolution mode for the hosts. Care must be taken

networking/v1/service_entry_alias.gen.go

@@ -0,0 +1,11 @@
+apiVersion: release-notes/v2
+kind: feature
+area: traffic-management
+issue:
+  - https://github.com/istio/istio/issues/54540
+
+releaseNotes:
+  - |
+    **Added** a new `DYNAMIC_DNS` resolution option for `ServiceEntry` to enable
+    dynamic DNS resolution based on the request's Host header or SNI when the
+    ServiceEntry has a wildcard host.