Ability to override subjectAltNames (SAN verification) for ISTIO_MUTUAL auth type

Describe the feature request
Ability to override subjectAltNames for ISTIO_MUTUAL. Currently, subjectAltNames can be overriden for MUTUAL auth policy but not for ISTIO_MUTUAL. This results in skipped SAN verification for service entries (added for services running in remote istio cluster) which are not associated with istio service accounts in the local cluster.

Describe alternatives you've considered
None I can think of.

Additional context
We generate certificates with spiffee id with service identifier, we need a way to specify that in subjectAltNames while we use a different host in service entry that is actually called.

[rshriram]

You can override the SAN check using a destination rule

[rshriram]

try it with ISTIO_MUTUAL

Yep, I tried the following service entry and destination rule:

kind: ServiceEntry
metadata:
  name: server-e2e-mc
spec:
  hosts:
  - server-e2e.mesh.company.com
  ports:
  - number: 80
    name: http
    protocol: HTTP
  location: MESH_EXTERNAL
  resolution: DNS
  endpoints:
  - address: a3fa56b6e2b7a11e9991d063ed499147-1651036159.us-west-2.elb.amazonaws.com
    ports:
      http: 443
    labels:
      env: e2e_west
    locality: us-west-2
  - address: a641b759d2b7a11e9b59a0a00383ddd9-1892978029.us-west-2.elb.amazonaws.com
    ports:
      http: 443
    locality: us-east-2
    labels:
      env: e2e_east

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: dest-rule-server-mc
spec:
  host: server-e2e.mesh.company.com
  subsets:
  - name: istiomutual
    labels:
      env: e2e_west
    trafficPolicy:
      tls:
        mode: ISTIO_MUTUAL
        clientCertificate: /etc/certs/cert-chain.pem
        privateKey: /etc/certs/key.pem
        caCertificates: /etc/certs/root-cert.pem
        subjectAltNames:
        - company.platform.server
        sni: server-e2e.mesh.company.com
  - name: mutual
    labels:
      env: e2e_east
    trafficPolicy:
      tls:
        mode: MUTUAL
        clientCertificate: /etc/certs/cert-chain.pem
        privateKey: /etc/certs/key.pem
        caCertificates: /etc/certs/root-cert.pem
        subjectAltNames:
        - company.platform.server
        sni: server-e2e.mesh.company.com

So I specified subjectAltNames for both ISTIO_MUTUAL and MUTUAL, but only the one specified for MUTUAL gets reflected in envoy config under verifySubjectAltName. Envoy configs generated below:

Generated envoy tlsContext for MUTUAL:

         "tlsContext": {
            "commonTlsContext": {
                "tlsCertificates": [
                    {
                        "certificateChain": {
                            "filename": "/etc/certs/cert-chain.pem"
                        },
                        "privateKey": {
                            "filename": "/etc/certs/key.pem"
                        }
                    }
                ],
                "validationContext": {
                    "trustedCa": {
                        "filename": "/etc/certs/root-cert.pem"
                    },
                    "verifySubjectAltName": [
                        "Intuit.platform.server"
                    ]
                }
            },
            "sni": "server-e2e.mesh.intuit.com"
        }

Generated envoy tlsContext for ISTIO_MUTUAL:

          "tlsContext": {
            "commonTlsContext": {
                "tlsCertificates": [
                    {
                        "certificateChain": {
                            "filename": "/etc/certs/cert-chain.pem"
                        },
                        "privateKey": {
                            "filename": "/etc/certs/key.pem"
                        }
                    }
                ],
                "validationContext": {
                    "trustedCa": {
                        "filename": "/etc/certs/root-cert.pem"
                    }
                },
                "alpnProtocols": [
                    "istio"
                ]
            },
            "sni": "server-e2e.mesh.intuit.com"
        }

I can submit a PR if you think its supposed to work and it isn't currently.

[rshriram]

shux you are right.. look in cluster.go under conditionallyConvertToIstioMtls ..

if tls.Mode == networking.TLSSettings_ISTIO_MUTUAL {
		// Use client provided SNI if set. Otherwise, overwrite with the auto generated SNI
		// user specified SNIs in the istio mtls settings are useful when routing via gateways
		sniToUse := tls.Sni
		if len(sniToUse) == 0 {
			sniToUse = sni
		}
		return buildIstioMutualTLS(serviceAccounts, sniToUse)
	}

Also please submit this fix to release-1.1 branch

Sure shriram, will submit a PR.

[aryan-ibm]

shux you are right.. look in cluster.go under conditionallyConvertToIstioMtls ..

if tls.Mode == networking.TLSSettings_ISTIO_MUTUAL {
		// Use client provided SNI if set. Otherwise, overwrite with the auto generated SNI
		// user specified SNIs in the istio mtls settings are useful when routing via gateways
		sniToUse := tls.Sni
		if len(sniToUse) == 0 {
			sniToUse = sni
		}
		return buildIstioMutualTLS(serviceAccounts, sniToUse)
	}

Also please submit this fix to release-1.1 branch

@rshriram For mode:Simple also its ignoring SAN from destination rule.

[ramaraochavali]

SIMPLE validates SAN if cacertificate is provided, if not it just initiates TLS connection.

[ramaraochavali]

but it is still validating and providing result.
Are you saying it is validating and failing?