apiVersion: release-notes/v2
kind: feature

area: security

releaseNotes:
- |
  **Added** support for client side Envoy secure naming config when trust domain alias is used.
  Fix the multi cluster service discovery client SAN generation: takes all endpoints' service accounts

			caller:             nil,
			authenticateErrMsg: "no verified chain is found",
		},
		"Certificate has no SAN": {
			certChain: [][]*x509.Certificate{
				{
					{
						Version: 1,
					},
				},
			},
			authenticateErrMsg: "the SAN extension does not exist",
		},
		"With client certificate": {
			certChain: [][]*x509.Certificate{
				{
					{

			exp:    false,
		},
		"does not default to kubelet-serving if it specifies a URI SAN": {
			req:    newCSR(kubeletServerPEMOptions, pemOptions{uris: []string{"http://something"}}),
			usages: kubeletServerUsages,
			exp:    false,
		},
		"does not default to kubelet-serving if it specifies an emailAddress SAN": {
			req:    newCSR(kubeletServerPEMOptions, pemOptions{emailAddresses: []string{"something"}}),

}

func NewSANDeprecatedChecker(counter *metrics.Counter) *missingSANChecker {
	return &missingSANChecker{
		counterRaiser: counterRaiser{
			counter: counter,
			id:      "missing-san",
			reason:  "relies on a legacy Common Name field instead of the SAN extension for subject validation",
		},
	}
}

// CheckRoundTripError returns true when we're running w/o GODEBUG=x509ignoreCN=0

	pod.Namespace = ns
	pod.Spec.ServiceAccountName = sa

	mesh := &meshconfig.MeshConfig{TrustDomain: "td.local"}

	san := SecureNamingSAN(pod, mesh)

	expectedSAN := fmt.Sprintf("spiffe://td.local/ns/%v/sa/%v", ns, sa)

	if san != expectedSAN {
		t.Fatalf("SAN match failed, SAN:%v  expectedSAN:%v", san, expectedSAN)
	}

# SAN Certificate Creation with OpenSSL

### Creating CA

```
openssl genrsa -out ca.key 2048

openssl req -new -x509 -days 3650 -key ca.key -subj "/C=US/ST=AZ/O=Acme, Inc./CN=Acme Root CA" -out ca.crt
```

### Creating Server Certificate
```
openssl req -newkey rsa:2048 -nodes -keyout server.key -subj "/C=US/ST=AZ/O=Acme, Inc./CN=*.com" -out server.csr
```

### Signing Certificate with CA
```

	ExtCAK8s CaExternalType = "ISTIOD_RA_KUBERNETES_API"

	// DefaultExtCACertDir : Location of external CA certificate
	DefaultExtCACertDir string = "./etc/external-ca-cert"
)

// ValidateCSR : Validate all SAN extensions in csrPEM match authenticated identities
func ValidateCSR(csrPEM []byte, subjectIDs []string) bool {
	csr, err := util.ParsePemEncodedCSR(csrPEM)
	if err != nil {
		return false
	}

	ttl := time.Hour
	cases := map[string]struct {
		certOptions  CertOptions
		verifyFields *VerifyFields
	}{
		// These certs are signed by the CA cert
		"RSA: Server cert with DNS SAN": {
			certOptions: CertOptions{
				Host:         "test_server.com",
				NotBefore:    notBefore,
				TTL:          ttl,
				SignerCert:   rsaCaCert,
				SignerPriv:   rsaCaPriv,
				Org:          "",

	tests := []struct {
		name            string
		serverCert      []byte
		counterIncrease bool
	}{
		{
			name:            "no SAN",
			serverCert:      serverCertNoSAN,
			counterIncrease: true,
		},
		{
			name:       "with SAN",
			serverCert: serverCert,
		},
	}

	// register the test metrics
	x509MissingSANCounter := metrics.NewCounter(&metrics.CounterOpts{Name: "Test_checkForHostnameError"})

# limitations under the License.

openssl req -new -newkey rsa:4096 -x509 -sha256 \
        -days 3650 -nodes -out cert.pem -keyout key.pem \
        -subj "/C=US/ST=Denial/L=Ether/O=Dis/CN=localhost/SAN=localhost" \
        -addext "subjectAltName = DNS:localhost"

openssl req -new -newkey rsa:4096 -x509 -sha256 \
        -days 3650 -nodes -out cert2.pem -keyout key2.pem \