Cherry pick: Apply peer authentication policy (#20829)

[diemtvu]

git cherry-pick 9053f47

• Apply beta peer authentication policy down to workload level

• Clean up

• Lint

• Check beta policy for auto mtls. This can be removed when EP metadata take into account the policy

• Use explicit peerauthentication policy for permissive, as we haven't remove old mesh policy during installation

• pilot/pkg/security/authn/v1beta1/policy_applier.go

• Move all test for beta mTLS api to the end

• Change to namespace policy

• Revert cluster.go

• Change peer authn consolidation algorithm for UNSET (inheritant mode)

• Reimplement getMostSpecificConfig (now composePeerAuthentication) which also consolidate port-level policies.

• Fix inheritance: do not inherit if it is weaker than the current mode

• Remove debug logs

• Change test policy to namespace level to make sure they are clean up properly with the existing test setup.

• Address comment

• Lint

• Simplify logic to pick the oldest

• fix typo

• Update function comment

[diemtvu]

• @howardjohn can you double check utils.go line 77 to see if it's ok. I have to add node.Metadata.SdsEnabled != "1" based on yours change (https://github.com/istio/istio/pull/20511/files), though if ignore that change completely, we don't need that (we will need to remove/change the test MTLSStrict using SDS without node meta though)

Thanks.

[howardjohn]

oh wow, #20511 is a major release blocker that got missed cherrypicking back to release-1.5

[diemtvu]

oh wow, #20511 is a major release blocker that got missed cherrypicking back to release-1.5

Ha, great. I can wait for you to cherry pick it so I don't have to do a manual fix. Of if you want, I can create one.