[WIP] Allow identity domain to be configured in istio

[c0d1ngm0nk3y]

see issue #8661

Use identity domain parameter to configure spiffe to use a different domain than "cluster.local".

[googlebot]

So there's good news and bad news.

👍 The good news is that everyone that needs to sign a CLA (the pull request submitter and all commit authors) have done so. Everything is all good there.

😕 The bad news is that it appears that one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that here in the pull request.

Note to project maintainer: This is a terminal state, meaning the cla/google commit status will not change from this state. It's up to you to confirm consent of all the commit author(s), set the cla label to yes (if enabled on your project), and then merge this pull request when appropriate.

[istio-testing]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To fully approve this pull request, please assign additional approvers.
We suggest the following additional approver: costinm

If they are not already assigned, you can assign the PR to them by writing /assign @costinm in a comment when ready.

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[istio-testing]

Hi @c0d1ngm0nk3y. Thanks for your PR.

I'm waiting for a istio member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[c0d1ngm0nk3y]

Still work in progress: If mTLS is not used, the pilot proxy is crashing.

/cc @lita
/cc @myidpt
/cc @elevran

[codecov]

Codecov Report

Merging #8976 into master will decrease coverage by 1%.
The diff coverage is 71%.

@@           Coverage Diff           @@
##           master   #8976    +/-   ##
=======================================
- Coverage      69%     69%   -<1%     
=======================================
  Files         412     425    +13     
  Lines       38423   38617   +194     
=======================================
+ Hits        26433   26550   +117     
- Misses      10740   10860   +120     
+ Partials     1250    1207    -43

Impacted Files	Coverage Δ
pilot/pkg/networking/plugin/authz/rbac.go	82% <ø> (ø)	⬆️
pilot/pkg/model/context.go	75% <ø> (+1%)	⬆️
pkg/bootstrap/bootstrap_config.go	39% <0%> (+2%)	⬆️
security/pkg/nodeagent/sds/sdsservice.go	63% <0%> (ø)	⬆️
pilot/pkg/proxy/envoy/v2/debug.go	33% <0%> (ø)	⬆️
pilot/pkg/serviceregistry/memory/discovery.go	57% <0%> (ø)	⬆️
pilot/pkg/serviceregistry/consul/controller.go	71% <0%> (ø)	⬆️
security/pkg/platform/onprem.go	67% <0%> (ø)	⬆️
security/pkg/pki/util/san.go	89% <100%> (ø)	⬇️
security/pkg/registry/kube/serviceaccount.go	77% <100%> (ø)	⬆️
... and 92 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6717060...1ae85f0. Read the comment docs.

[wattli]

update comment?

[wattli]

This file seems to be a testing file, if so, put it under testing dir?

[wattli]

can we put spiffe under security/pkg/... since it's mostly about security feature.

[wattli]

The name of this func is very confusing. Please rename to something more meaningful.

[wattli]

And it would be great to have some input/output values for testing purpose.

[wattli]

Please add comments for what it does.

And when leave a TODO, please add the corresponding person for this TODO.

[myidpt]

Thanks for the great work. Could you split this PR into smaller ones? It's hard for us to review.

[axel7born]

@myidpt, your right, the PR got to big. We are preparing smaller ones.
@wattli, thanks for looking at our changes. We will take your comments into account for the smaller PRs.

[kramerul]

@myidpt We spitted up this pull request into 3 pull requests:
#9059, #9090 and #9226
It would be nice, if we could do the move of spiffe to security/pkg after these pull requests are merged.

This pull request is no longer needed. It's replaced by the requests mentioned above.

[c0d1ngm0nk3y]

see comment, this PR has been splitted.