The DP can't start with Mesh whose name contains dot sign

[Icarus9913]

Kuma Version

2.9.3

Describe the bug

In Kubernetes environment, the sidecar-injected Pod can't go to ready state because the kuma-sidecar container failed to start.

To Reproduce

1. Create a Mesh object with name aa.a
2. Create a workload with the mesh aa.a injected
3. Watch the Pod state

Expected behavior

The Pod can start successfully and go to ready state

Additional context (optional)

Here's the Pod's event:

~%kubectl get mesh -A
NAME      AGE
aa.a      15m
---------
~%kubectl -n kuma-demo get po 
NAME                        READY   STATUS    RESTARTS   AGE
2048-app-7c5f756499-l9p2m   1/2     Running   0          88s
---------
  Normal   Created               47s                kubelet                          Created container kuma-sidecar
  Normal   Started               47s                kubelet                          Started container kuma-sidecar
  Normal   Pulled                47s                kubelet                          Container image "ghcr.io/daocloud/dao-2048:v1.4.1" already present on machine
  Normal   Created               47s                kubelet                          Created container 2048-app
  Normal   Started               47s                kubelet                          Started container 2048-app
  Warning  Unhealthy             2s (x11 over 46s)  kubelet                          Readiness probe failed: Get "http://10.42.0.57:9901/ready": dial tcp 10.42.0.57:9901: connect: connection refused

The kuma-control-plane Pod's logs:

---------
2025-02-25T03:40:16.917Z	INFO	injector	injecting Kuma	{"pod": "2048-app-7c5f756499-", "namespace": "kuma-demo"}
2025-02-25T03:40:16.926Z	INFO	controllers.Service	annotating service which is part of the mesh	{"service": {"name":"service-2048-app","namespace":"kuma-demo"}, "annotation": "ingress.kubernetes.io/service-upstream=true"}
2025-02-25T03:40:16.937Z	INFO	controllers.Service	annotating service which is part of the mesh	{"service": {"name":"service-2048-app","namespace":"kuma-demo"}, "annotation": "ingress.kubernetes.io/service-upstream=true"}
2025-02-25T03:40:18.195Z	INFO	controllers.Pod	Dataplane created	{"pod": {"name":"2048-app-7c5f756499-l9p2m","namespace":"kuma-demo"}}
2025-02-25T03:40:18.196Z	INFO	dns-vips-allocator	mesh VIPs changed	{"mesh": "aa.a", "changes": [{"Type":"Add","Entry":"1:10.43.104.220"},{"Type":"Add","Entry":"0:service-2048-app_kuma-demo_svc_80"}]}
2025-02-25T03:41:17.558Z	INFO	xds.status-tracker	proxy disconnected	{"streamID": 2, "proxyName": "", "mesh": "", "subscriptionID": "a5d65f52-79ba-43dd-83fd-7115164fd8e0"}
2025-02-25T03:41:17.632Z	INFO	xds.status-tracker	proxy disconnected	{"streamID": 3, "proxyName": "", "mesh": "", "subscriptionID": "9f4f7422-2693-4dc4-8c91-2b34199b89d1"}
2025-02-25T03:41:17.648Z	INFO	xds.status-tracker	proxy disconnected	{"streamID": 4, "proxyName": "", "mesh": "", "subscriptionID": "27715496-8ef3-479b-8d9b-5e2a1e3f4d03"}
2025-02-25T03:41:19.373Z	INFO	xds.status-tracker	proxy disconnected	{"streamID": 5, "proxyName": "", "mesh": "", "subscriptionID": "eb354fed-dce2-45ce-b0c3-c5cbbc8a55ba"}
2025-02-25T03:41:20.105Z	INFO	xds.status-tracker	proxy disconnected	{"streamID": 6, "proxyName": "", "mesh": "", "subscriptionID": "3bfbf83a-3187-465e-aa46-d6b30de10e6a"}

The workload Pod's kuma-sidecar container logs:

[2025-02-25 03:41:17.552][31][warning][main] [source/server/server.cc:928] There is no configured limit to the number of allowed active downstream connections. Configure a limit in `envoy.resource_monitors.downstream_connections` resource monitor.
[2025-02-25 03:41:17.552][31][info][main] [source/server/server.cc:969] starting main dispatch loop
[2025-02-25 03:41:17.558][31][warning][config] [./source/extensions/config_subscription/grpc/grpc_stream.h:155] StreamAggregatedResources gRPC config stream to kuma-control-plane.kuma-system:5678 closed: 2, resource "aa.a.2048-app-7c5f756499-l9p2m.kuma-demo" not found; create a Dataplane in Kuma CP first or pass it as an argument to kuma-dp

[Icarus9913]

This problem exists in Universal environment too. The reproduce steps are almost the same as the upper, you just need to use the universal resource format.

The CP logs:

2025-02-26T05:19:26.993Z	INFO	xds.status-tracker	proxy disconnected	{"streamID": 1, "proxyName": "", "mesh": "", "subscriptionID": "d154af35-5229-4f82-a178-6cf4d0fc97d9"}
2025-02-26T05:19:27.381Z	INFO	xds.status-tracker	proxy disconnected	{"streamID": 2, "proxyName": "", "mesh": "", "subscriptionID": "9e8aa505-a33a-484f-b63e-37214bf4ee46"}
2025-02-26T05:19:27.681Z	INFO	xds.status-tracker	proxy disconnected	{"streamID": 3, "proxyName": "", "mesh": "", "subscriptionID": "9d38e41c-f1f8-450f-ba7c-f44c76021886"}
2025-02-26T05:19:29.005Z	INFO	xds.status-tracker	proxy disconnected	{"streamID": 4, "proxyName": "", "mesh": "", "subscriptionID": "85c1dd68-a782-45f2-bdaa-86a2cb580558"}
2025-02-26T05:19:32.376Z	INFO	xds.status-tracker	proxy disconnected	{"streamID": 5, "proxyName": "", "mesh": "", "subscriptionID": "ef7d21a7-4951-4d99-aa77-6da71e9b52e0"}
2025-02-26T05:19:35.618Z	INFO	xds.status-tracker	proxy disconnected	{"streamID": 6, "proxyName": "", "mesh": "", "subscriptionID": "53205644-a4b3-450f-9351-3b1f043084f7"}

The DP logs:

[2025-02-26 13:19:26.993][351][warning][config] [./source/extensions/config_subscription/grpc/grpc_stream.h:155] StreamAggregatedResources gRPC config stream to ads_cluster closed: 2, proxyId {aa a.dp-echo-1} does not match proxy resource {Dataplane aa.a dp-echo-1 0001-01-01 00:00:00 +0000 UTC 0001-01-01 00:00:00 +0000 UTC map[]}
[2025-02-26 13:19:27.382][351][warning][config] [./source/extensions/config_subscription/grpc/grpc_stream.h:155] StreamAggregatedResources gRPC config stream to ads_cluster closed: 2, proxyId {aa a.dp-echo-1} does not match proxy resource {Dataplane aa.a dp-echo-1 0001-01-01 00:00:00 +0000 UTC 0001-01-01 00:00:00 +0000 UTC map[]}
[2025-02-26 13:19:27.682][351][warning][config] [./source/extensions/config_subscription/grpc/grpc_stream.h:155] StreamAggregatedResources gRPC config stream to ads_cluster closed: 2, proxyId {aa a.dp-echo-1} does not match proxy resource {Dataplane aa.a dp-echo-1 0001-01-01 00:00:00 +0000 UTC 0001-01-01 00:00:00 +0000 UTC map[]}
[2025-02-26 13:19:29.006][351][warning][config] [./source/extensions/config_subscription/grpc/grpc_stream.h:155] StreamAggregatedResources gRPC config stream to ads_cluster closed: 2, proxyId {aa a.dp-echo-1} does not match proxy resource {Dataplane aa.a dp-echo-1 0001-01-01 00:00:00 +0000 UTC 0001-01-01 00:00:00 +0000 UTC map[]}
[2025-02-26 13:19:32.377][351][warning][config] [./source/extensions/config_subscription/grpc/grpc_stream.h:155] StreamAggregatedResources gRPC config stream to ads_cluster closed: 2, proxyId {aa a.dp-echo-1} does not match proxy resource {Dataplane aa.a dp-echo-1 0001-01-01 00:00:00 +0000 UTC 0001-01-01 00:00:00 +0000 UTC map[]}

[Icarus9913]

The problem happens in the function

kuma/pkg/core/xds/types.go

Line 366 in fbef990

func ParseProxyIdFromString(id string) (*ProxyId, error) {

, the given Envoy Node ID is aa.a.2048-app-7c5f756499-l9p2m.kuma-demo then it was parsed into xds.ProxyId{mesh:"aa", name:"a.2048-app-7c5f756499-l9p2m.kuma-demo"}

---

In Kubernetes,

• the kuma_dataplane_name consists of d.Name = fmt.Sprintf("%s.%s", podName, podNamespace)
• the Envoy ProxyID/NodeID consists of fmt.Sprintf("%s.%s", id.mesh, id.name)

Later, we'll parse the string into ProxyID structure by splitting the string . signs.
Currently, the Kubernetes Pod name follows the DNS Subdomain Names which allow you to contain . sign, and Kubernetes Namespace follows the RFC 1123 DNS labels and you can't use . in the Namespace object name.
For Mesh, MeshService etc resources we didn't define the limitations in which you could use . in their names