tls: enable match_subject_alt_names option in SPIFFE validator

[mathetake]

Signed-off-by: Takeshi Yoneda takeshi@tetrate.io

Commit Message: tls: enable match_subject_alt_names option in SPIFFE validator
Additional Description: This is a follow up on #14884 and resolves #15392.

[mathetake]

/retest

[repokitteh-read-only]

Retrying Azure Pipelines:
Retried failed jobs in: envoy-presubmit

🐱

Caused by: a #15509 (comment) was created by @mathetake.

see: more, trace.

[azdagron]

This is exciting! Very happy to see this work move forward! I can't speak to the rest of the mechanics, but the actual SAN validation seems fine.

[mathetake]

@azdagron Thanks for the review from the perspective of SPIFFE expert 👍 I really appreciate it 🙂

[asraa]

Thanks! LGTM besides the nit

[mathetake]

@PiotrSikora sorry my stale merge commit has requested your review. Never mind.

[mathetake]

/retest

[repokitteh-read-only]

Retrying Azure Pipelines:
Retried failed jobs in: envoy-presubmit

🐱

Caused by: a #15509 (comment) was created by @mathetake.

see: more, trace.

[asraa]

Thanks! LGTM
@envoyproxy/senior-maintainers

[mattklein123]

Needs a main merge.

/wait

[mathetake]

merged main and resolved conflicts. Thanks!

[mattklein123]

Does this have explicit testing somewhere? I don't see any cert changes in this PR?

/wait-any

[mathetake]

I used this here for testing SAN matcher https://github.com/envoyproxy/envoy/pull/15509/files#diff-ee57e8aee637e17f1f512cef5e2bff807c263ab67922c85659721654913242f4R460, so that's why you don't see certs changes.

In any way, generalNameAsString doesn't have any explicit unit test so I think we should. Added a dedicated test case of getSubjectAltNames for email SAN.

[mathetake]

/retest

[repokitteh-read-only]

Retrying Azure Pipelines:
Retried failed jobs in: envoy-presubmit

🐱

Caused by: a #15509 (comment) was created by @mathetake.

see: more, trace.

[mattklein123]

Super, thanks for beefing up the test coverage!