From 3094619c84733caef53723bfc96fa63ceb58cd57 Mon Sep 17 00:00:00 2001
From: Andra Cismaru <andraxylia@users.noreply.github.com>
Date: Tue, 5 Feb 2019 13:26:00 -0800
Subject: [PATCH] Add subject_alt_names field in ServiceEntry (#785)

* Add service_accounts field in ServiceEntry

* Ran make proto-commit

* Added example with format

* Rename to subject_alt_names

* Move example out of the message definition

* Added a period

* Remove hide_from_docs
---
 networking/v1alpha3/destination_rule.pb.go    |   2 +
 networking/v1alpha3/destination_rule.proto    |   2 +
 .../istio.networking.v1alpha3.pb.html         |  42 ++++-
 networking/v1alpha3/service_entry.pb.go       | 157 ++++++++++++++----
 networking/v1alpha3/service_entry.proto       |  34 ++++
 proto.lock                                    |   6 +
 .../networking/v1alpha3/service_entry_pb2.py  |  31 ++--
 7 files changed, 228 insertions(+), 46 deletions(-)

diff --git a/networking/v1alpha3/destination_rule.pb.go b/networking/v1alpha3/destination_rule.pb.go
index 1dd22cc9..229e1934 100644
--- a/networking/v1alpha3/destination_rule.pb.go
+++ b/networking/v1alpha3/destination_rule.pb.go
@@ -1228,6 +1228,8 @@ type TLSSettings struct {
 	// A list of alternate names to verify the subject identity in the
 	// certificate. If specified, the proxy will verify that the server
 	// certificate's subject alt name matches one of the specified values.
+	// If specified, this list overrides the value of subject_alt_names
+	// from the ServiceEntry.
 	SubjectAltNames []string `protobuf:"bytes,5,rep,name=subject_alt_names,json=subjectAltNames" json:"subject_alt_names,omitempty"`
 	// SNI string to present to the server during TLS handshake.
 	Sni string `protobuf:"bytes,6,opt,name=sni,proto3" json:"sni,omitempty"`
diff --git a/networking/v1alpha3/destination_rule.proto b/networking/v1alpha3/destination_rule.proto
index f622a267..ff7b277d 100644
--- a/networking/v1alpha3/destination_rule.proto
+++ b/networking/v1alpha3/destination_rule.proto
@@ -577,6 +577,8 @@ message TLSSettings {
   // A list of alternate names to verify the subject identity in the
   // certificate. If specified, the proxy will verify that the server
   // certificate's subject alt name matches one of the specified values.
+  // If specified, this list overrides the value of subject_alt_names
+  // from the ServiceEntry.
   repeated string subject_alt_names = 5;
 
   // SNI string to present to the server during TLS handshake.
diff --git a/networking/v1alpha3/istio.networking.v1alpha3.pb.html b/networking/v1alpha3/istio.networking.v1alpha3.pb.html
index e83d3b10..5f323058 100644
--- a/networking/v1alpha3/istio.networking.v1alpha3.pb.html
+++ b/networking/v1alpha3/istio.networking.v1alpha3.pb.html
@@ -3386,6 +3386,32 @@ spec:
 specified above. In other words, a call to <code>http://foo.bar.com/baz</code> would
 be translated to <code>http://uk.foo.bar.com/baz</code>.</p>
 
+<p>The following example illustrates the usage of a ServiceEntry
+containing a subject alternate name
+whose format conforms to the SPIFEE standard
+<a href="https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md">https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md</a>:</p>
+
+<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
+kind: ServiceEntry
+metadata:
+  name: httpbin
+  namespace : httpbin-ns
+spec:
+  hosts:
+  - httpbin.com
+  location: MESH_INTERNAL
+  ports:
+  - number: 80
+    name: http
+    protocol: HTTP
+  resolution: STATIC
+  endpoints:
+  - address: 2.2.2.2
+  - address: 3.3.3.3
+  subjectAltNames:
+  - &quot;spiffe://cluster.local/ns/httpbin-ns/sa/httpbin-service-account&quot;
+</code></pre>
+
 <table class="message-fields">
 <thead>
 <tr>
@@ -3465,6 +3491,18 @@ said port will be allowed (i.e. 0.0.0.0:<port>).</p>
 <td>
 <p>One or more endpoints associated with the service.</p>
 
+</td>
+</tr>
+<tr id="ServiceEntry-subject_alt_names">
+<td><code>subjectAltNames</code></td>
+<td><code>string[]</code></td>
+<td>
+<p>The list of subject alternate names allowed for workloads that
+implement this service. This information is used to enforce
+secure-naming <a href="https://istio.io/docs/concepts/security/#secure-naming">https://istio.io/docs/concepts/security/#secure-naming</a>.
+If specified, the proxy will verify that the server
+certificate&rsquo;s subject alternate name matches one of the specified values.</p>
+
 </td>
 </tr>
 </tbody>
@@ -4193,7 +4231,9 @@ Should be empty if mode is <code>ISTIO_MUTUAL</code>.</p>
 <td>
 <p>A list of alternate names to verify the subject identity in the
 certificate. If specified, the proxy will verify that the server
-certificate&rsquo;s subject alt name matches one of the specified values.</p>
+certificate&rsquo;s subject alt name matches one of the specified values.
+If specified, this list overrides the value of subject<em>alt</em>names
+from the ServiceEntry.</p>
 
 </td>
 </tr>
diff --git a/networking/v1alpha3/service_entry.pb.go b/networking/v1alpha3/service_entry.pb.go
index b1125abe..fec62043 100644
--- a/networking/v1alpha3/service_entry.pb.go
+++ b/networking/v1alpha3/service_entry.pb.go
@@ -378,6 +378,33 @@ func (ServiceEntry_Resolution) EnumDescriptor() ([]byte, []int) {
 // specified above. In other words, a call to `http://foo.bar.com/baz` would
 // be translated to `http://uk.foo.bar.com/baz`.
 //
+// The following example illustrates the usage of a ServiceEntry
+// containing a subject alternate name
+// whose format conforms to the SPIFEE standard
+// <https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md>:
+//
+// ```yaml
+// apiVersion: networking.istio.io/v1alpha3
+// kind: ServiceEntry
+// metadata:
+//   name: httpbin
+//   namespace : httpbin-ns
+// spec:
+//   hosts:
+//   - httpbin.com
+//   location: MESH_INTERNAL
+//   ports:
+//   - number: 80
+//     name: http
+//     protocol: HTTP
+//   resolution: STATIC
+//   endpoints:
+//   - address: 2.2.2.2
+//   - address: 3.3.3.3
+//   subjectAltNames:
+//   - "spiffe://cluster.local/ns/httpbin-ns/sa/httpbin-service-account"
+// ```
+//
 type ServiceEntry struct {
 	// REQUIRED. The hosts associated with the ServiceEntry. Could be a DNS
 	// name with wildcard prefix (external services only). DNS names in hosts
@@ -433,6 +460,12 @@ type ServiceEntry struct {
 	// the annotation "networking.istio.io/export_to" to a comma-separated list
 	// of namespace names.
 	ExportTo []string `protobuf:"bytes,7,rep,name=export_to,json=exportTo" json:"export_to,omitempty"`
+	// The list of subject alternate names allowed for workloads that
+	// implement this service. This information is used to enforce
+	// secure-naming <https://istio.io/docs/concepts/security/#secure-naming>.
+	// If specified, the proxy will verify that the server
+	// certificate's subject alternate name matches one of the specified values.
+	SubjectAltNames []string `protobuf:"bytes,8,rep,name=subject_alt_names,json=subjectAltNames" json:"subject_alt_names,omitempty"`
 }
 
 func (m *ServiceEntry) Reset()                    { *m = ServiceEntry{} }
@@ -489,6 +522,13 @@ func (m *ServiceEntry) GetExportTo() []string {
 	return nil
 }
 
+func (m *ServiceEntry) GetSubjectAltNames() []string {
+	if m != nil {
+		return m.SubjectAltNames
+	}
+	return nil
+}
+
 // Endpoint defines a network address (IP or hostname) associated with
 // the mesh service.
 type ServiceEntry_Endpoint struct {
@@ -684,6 +724,21 @@ func (m *ServiceEntry) MarshalTo(dAtA []byte) (int, error) {
 			i += copy(dAtA[i:], s)
 		}
 	}
+	if len(m.SubjectAltNames) > 0 {
+		for _, s := range m.SubjectAltNames {
+			dAtA[i] = 0x42
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
 	return i, nil
 }
 
@@ -809,6 +864,12 @@ func (m *ServiceEntry) Size() (n int) {
 			n += 1 + l + sovServiceEntry(uint64(l))
 		}
 	}
+	if len(m.SubjectAltNames) > 0 {
+		for _, s := range m.SubjectAltNames {
+			l = len(s)
+			n += 1 + l + sovServiceEntry(uint64(l))
+		}
+	}
 	return n
 }
 
@@ -1078,6 +1139,35 @@ func (m *ServiceEntry) Unmarshal(dAtA []byte) error {
 			}
 			m.ExportTo = append(m.ExportTo, string(dAtA[iNdEx:postIndex]))
 			iNdEx = postIndex
+		case 8:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SubjectAltNames", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowServiceEntry
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthServiceEntry
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.SubjectAltNames = append(m.SubjectAltNames, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipServiceEntry(dAtA[iNdEx:])
@@ -1588,37 +1678,38 @@ var (
 func init() { proto.RegisterFile("networking/v1alpha3/service_entry.proto", fileDescriptorServiceEntry) }
 
 var fileDescriptorServiceEntry = []byte{
-	// 497 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x93, 0xdf, 0x6e, 0xd3, 0x30,
-	0x14, 0xc6, 0xe7, 0x66, 0x4b, 0x93, 0x33, 0x86, 0x82, 0x85, 0x90, 0x09, 0xa8, 0x84, 0xde, 0x10,
-	0x09, 0x29, 0x1d, 0x9d, 0x90, 0xc6, 0x9f, 0x9b, 0x01, 0x91, 0x98, 0x54, 0x02, 0xb8, 0xb9, 0x40,
-	0xdc, 0x54, 0xd9, 0x6a, 0xb5, 0xd6, 0xa2, 0x38, 0x8a, 0xbd, 0x96, 0xbe, 0x05, 0x8f, 0xc5, 0x25,
-	0x8f, 0x80, 0xfa, 0x18, 0x5c, 0xa1, 0x38, 0x49, 0xd3, 0x8b, 0x01, 0xdb, 0x5d, 0xce, 0x89, 0xbf,
-	0x9f, 0x3e, 0x9f, 0xef, 0x18, 0x9e, 0x64, 0x4c, 0x2d, 0x45, 0x71, 0xc1, 0xb3, 0xd9, 0x60, 0xf1,
-	0x2c, 0x49, 0xf3, 0x79, 0x72, 0x34, 0x90, 0xac, 0x58, 0xf0, 0x73, 0x36, 0x61, 0x99, 0x2a, 0x56,
-	0x41, 0x5e, 0x08, 0x25, 0xf0, 0x7d, 0x2e, 0x15, 0x17, 0x41, 0x7b, 0x3c, 0x68, 0x8e, 0xbb, 0x8f,
-	0xaf, 0x62, 0xcc, 0x12, 0xc5, 0x96, 0x49, 0xad, 0xee, 0xff, 0x36, 0xe1, 0xd6, 0xb8, 0xa2, 0x86,
-	0x25, 0x14, 0xdf, 0x85, 0xbd, 0xb9, 0x90, 0x4a, 0x12, 0xe4, 0x19, 0xbe, 0x4d, 0xab, 0x02, 0x3f,
-	0x04, 0x3b, 0x99, 0x4e, 0x0b, 0x26, 0x25, 0x93, 0xa4, 0xa3, 0xff, 0xb4, 0x0d, 0xfc, 0x1c, 0xf6,
-	0x72, 0x51, 0x28, 0x49, 0x0c, 0xcf, 0xf0, 0xf7, 0x87, 0x8f, 0x82, 0xbf, 0x5a, 0x0a, 0x3e, 0x89,
-	0x42, 0xd1, 0xea, 0x34, 0x1e, 0x81, 0x95, 0x8a, 0xf3, 0x44, 0x71, 0x91, 0x91, 0x5d, 0x0f, 0xf9,
-	0xb7, 0x87, 0x87, 0xff, 0x50, 0x6e, 0xbb, 0x0c, 0x46, 0xb5, 0x8e, 0x6e, 0x08, 0x98, 0x02, 0x14,
-	0x4c, 0x8a, 0xf4, 0x52, 0xf3, 0xf6, 0x34, 0x6f, 0x78, 0x5d, 0x1e, 0xdd, 0x28, 0xe9, 0x16, 0x05,
-	0x47, 0x60, 0xb3, 0x6c, 0x9a, 0x0b, 0x9e, 0x29, 0x49, 0x4c, 0x7d, 0xb9, 0x6b, 0x5b, 0x0c, 0x6b,
-	0x21, 0x6d, 0x11, 0xf8, 0x01, 0xd8, 0xec, 0x5b, 0x79, 0xf9, 0x89, 0x12, 0xa4, 0xab, 0xc7, 0x68,
-	0x55, 0x8d, 0x58, 0xb8, 0xdf, 0x0d, 0xb0, 0x1a, 0x11, 0x26, 0xd0, 0xad, 0xe7, 0x4b, 0x90, 0x87,
-	0x7c, 0x9b, 0x36, 0x25, 0xfe, 0xdc, 0x0c, 0xbb, 0xa3, 0xfd, 0xbc, 0xba, 0xa9, 0x1f, 0x1d, 0x81,
-	0xd4, 0xbd, 0x26, 0x88, 0x18, 0xcc, 0x34, 0x39, 0x63, 0x69, 0x13, 0xe0, 0xeb, 0x1b, 0x33, 0x47,
-	0x5a, 0x5e, 0x41, 0x6b, 0x56, 0x79, 0x85, 0x1a, 0xa0, 0xd3, 0xb5, 0x69, 0x53, 0x62, 0xb7, 0x0a,
-	0x3e, 0xe5, 0x6a, 0xa5, 0x83, 0xb2, 0xe9, 0xa6, 0xc6, 0xf7, 0xc0, 0x5c, 0x32, 0x3e, 0x9b, 0x2b,
-	0x62, 0x7a, 0xc8, 0x3f, 0xa0, 0x75, 0xe5, 0x1e, 0x03, 0xb4, 0xc6, 0xb1, 0x03, 0xc6, 0x05, 0x5b,
-	0xd5, 0xa3, 0x29, 0x3f, 0xcb, 0xbd, 0x5d, 0x24, 0xe9, 0x25, 0x23, 0x1d, 0x2d, 0xab, 0x8a, 0x97,
-	0x9d, 0x63, 0xe4, 0xbe, 0x80, 0xfd, 0x2d, 0x7b, 0xff, 0x93, 0xda, 0x5b, 0xd2, 0xfe, 0x21, 0x58,
-	0xcd, 0xa6, 0xe1, 0x3b, 0x70, 0xf0, 0x21, 0x1c, 0xbf, 0x9f, 0x84, 0x5f, 0xe2, 0x90, 0x46, 0x27,
-	0x23, 0x67, 0x67, 0xd3, 0x3a, 0x8d, 0xea, 0x16, 0xea, 0x3f, 0x05, 0x68, 0x77, 0x09, 0x5b, 0xb0,
-	0x1b, 0x7d, 0x8c, 0x42, 0x67, 0x07, 0x03, 0x98, 0xe3, 0xf8, 0x24, 0x3e, 0x7d, 0xeb, 0x20, 0xdc,
-	0x05, 0xe3, 0x5d, 0x34, 0x76, 0x3a, 0x6f, 0x82, 0x1f, 0xeb, 0x1e, 0xfa, 0xb9, 0xee, 0xa1, 0x5f,
-	0xeb, 0x1e, 0xfa, 0xea, 0x55, 0x43, 0xe7, 0x62, 0x90, 0xe4, 0x7c, 0x70, 0xc5, 0xd3, 0x3d, 0x33,
-	0xf5, 0x9b, 0x3d, 0xfa, 0x13, 0x00, 0x00, 0xff, 0xff, 0xbf, 0xab, 0x5c, 0x44, 0x1c, 0x04, 0x00,
-	0x00,
+	// 527 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x93, 0xdf, 0x8e, 0xd2, 0x40,
+	0x14, 0xc6, 0x77, 0xe8, 0x52, 0xda, 0xb3, 0xae, 0xb2, 0x13, 0x63, 0x46, 0x34, 0x58, 0xb9, 0x91,
+	0x68, 0x52, 0x56, 0x36, 0x26, 0xeb, 0x9f, 0x1b, 0xd4, 0x26, 0x6e, 0x82, 0x55, 0x07, 0x2e, 0x8c,
+	0x37, 0x64, 0x80, 0x09, 0xd4, 0xad, 0x1d, 0xd2, 0x19, 0x40, 0xde, 0xc2, 0xa7, 0xf0, 0x59, 0xbc,
+	0xf4, 0x11, 0x0c, 0x4f, 0x62, 0x3a, 0x9d, 0x02, 0x17, 0xab, 0xbb, 0x7b, 0xd7, 0x73, 0xe6, 0x7c,
+	0xbf, 0x7e, 0x73, 0xce, 0x19, 0x78, 0x94, 0x70, 0xb5, 0x14, 0xe9, 0x79, 0x94, 0x4c, 0x5a, 0x8b,
+	0xa7, 0x2c, 0x9e, 0x4d, 0xd9, 0x49, 0x4b, 0xf2, 0x74, 0x11, 0x8d, 0xf8, 0x80, 0x27, 0x2a, 0x5d,
+	0xf9, 0xb3, 0x54, 0x28, 0x81, 0xef, 0x46, 0x52, 0x45, 0xc2, 0xdf, 0x96, 0xfb, 0x45, 0x79, 0xed,
+	0xe1, 0x45, 0x8c, 0x09, 0x53, 0x7c, 0xc9, 0x8c, 0xba, 0xf1, 0xb3, 0x02, 0x37, 0x7a, 0x39, 0x35,
+	0xc8, 0xa0, 0xf8, 0x36, 0x94, 0xa7, 0x42, 0x2a, 0x49, 0x90, 0x67, 0x35, 0x5d, 0x9a, 0x07, 0xf8,
+	0x3e, 0xb8, 0x6c, 0x3c, 0x4e, 0xb9, 0x94, 0x5c, 0x92, 0x92, 0x3e, 0xd9, 0x26, 0xf0, 0x33, 0x28,
+	0xcf, 0x44, 0xaa, 0x24, 0xb1, 0x3c, 0xab, 0x79, 0xd0, 0x7e, 0xe0, 0xff, 0xd3, 0x92, 0xff, 0x51,
+	0xa4, 0x8a, 0xe6, 0xd5, 0xb8, 0x0b, 0x4e, 0x2c, 0x46, 0x4c, 0x45, 0x22, 0x21, 0xfb, 0x1e, 0x6a,
+	0xde, 0x6c, 0x1f, 0xff, 0x47, 0xb9, 0xeb, 0xd2, 0xef, 0x1a, 0x1d, 0xdd, 0x10, 0x30, 0x05, 0x48,
+	0xb9, 0x14, 0xf1, 0x5c, 0xf3, 0xca, 0x9a, 0xd7, 0xbe, 0x2a, 0x8f, 0x6e, 0x94, 0x74, 0x87, 0x82,
+	0x43, 0x70, 0x79, 0x32, 0x9e, 0x89, 0x28, 0x51, 0x92, 0xd8, 0xfa, 0x72, 0x57, 0xb6, 0x18, 0x18,
+	0x21, 0xdd, 0x22, 0xf0, 0x3d, 0x70, 0xf9, 0xf7, 0xec, 0xf2, 0x03, 0x25, 0x48, 0x45, 0xb7, 0xd1,
+	0xc9, 0x13, 0x7d, 0x81, 0x1f, 0xc3, 0x91, 0x9c, 0x0f, 0xbf, 0xf2, 0x91, 0x1a, 0xb0, 0x58, 0x0d,
+	0x12, 0xf6, 0x8d, 0x4b, 0xe2, 0xe8, 0xa2, 0x5b, 0xe6, 0xa0, 0x13, 0xab, 0x30, 0x4b, 0xd7, 0x7e,
+	0x58, 0xe0, 0x14, 0x3f, 0xc0, 0x04, 0x2a, 0x66, 0x16, 0x04, 0x79, 0xa8, 0xe9, 0xd2, 0x22, 0xc4,
+	0x9f, 0x8a, 0xc1, 0x94, 0xb4, 0xf7, 0x97, 0xd7, 0xf5, 0xae, 0xc7, 0x25, 0x75, 0xae, 0x18, 0x5a,
+	0x1f, 0xec, 0x98, 0x0d, 0x79, 0x5c, 0x0c, 0xfb, 0xd5, 0xb5, 0x99, 0x5d, 0x2d, 0xcf, 0xa1, 0x86,
+	0x95, 0x5d, 0xc1, 0x00, 0xf4, 0x26, 0xb8, 0xb4, 0x08, 0x71, 0x2d, 0x5f, 0x92, 0x38, 0x52, 0x2b,
+	0x3d, 0x54, 0x97, 0x6e, 0x62, 0x7c, 0x07, 0xec, 0x25, 0x8f, 0x26, 0x53, 0x45, 0x6c, 0x0f, 0x35,
+	0x0f, 0xa9, 0x89, 0x6a, 0xa7, 0x00, 0x5b, 0xe3, 0xb8, 0x0a, 0xd6, 0x39, 0x5f, 0x99, 0xd6, 0x64,
+	0x9f, 0xd9, 0x8e, 0x2f, 0x58, 0x3c, 0xe7, 0xa4, 0xa4, 0x65, 0x79, 0xf0, 0xa2, 0x74, 0x8a, 0x6a,
+	0xcf, 0xe1, 0x60, 0xc7, 0xde, 0x65, 0x52, 0x77, 0x47, 0xda, 0x38, 0x06, 0xa7, 0xd8, 0x4a, 0x7c,
+	0x04, 0x87, 0xef, 0x83, 0xde, 0xbb, 0x41, 0xf0, 0xb9, 0x1f, 0xd0, 0xb0, 0xd3, 0xad, 0xee, 0x6d,
+	0x52, 0x67, 0xa1, 0x49, 0xa1, 0xc6, 0x13, 0x80, 0xed, 0xde, 0x61, 0x07, 0xf6, 0xc3, 0x0f, 0x61,
+	0x50, 0xdd, 0xc3, 0x00, 0x76, 0xaf, 0xdf, 0xe9, 0x9f, 0xbd, 0xa9, 0x22, 0x5c, 0x01, 0xeb, 0x6d,
+	0xd8, 0xab, 0x96, 0x5e, 0xfb, 0xbf, 0xd6, 0x75, 0xf4, 0x7b, 0x5d, 0x47, 0x7f, 0xd6, 0x75, 0xf4,
+	0xc5, 0xcb, 0x9b, 0x1e, 0x89, 0x16, 0x9b, 0x45, 0xad, 0x0b, 0x9e, 0xf9, 0xd0, 0xd6, 0xef, 0xfb,
+	0xe4, 0x6f, 0x00, 0x00, 0x00, 0xff, 0xff, 0x10, 0x53, 0xa9, 0xc0, 0x48, 0x04, 0x00, 0x00,
 }
diff --git a/networking/v1alpha3/service_entry.proto b/networking/v1alpha3/service_entry.proto
index 63b9cb52..94d4e92a 100644
--- a/networking/v1alpha3/service_entry.proto
+++ b/networking/v1alpha3/service_entry.proto
@@ -299,6 +299,33 @@ option go_package = "istio.io/api/networking/v1alpha3";
 // specified above. In other words, a call to `http://foo.bar.com/baz` would
 // be translated to `http://uk.foo.bar.com/baz`.
 //
+// The following example illustrates the usage of a ServiceEntry
+// containing a subject alternate name
+// whose format conforms to the SPIFEE standard
+// <https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md>:
+//
+// ```yaml
+// apiVersion: networking.istio.io/v1alpha3
+// kind: ServiceEntry
+// metadata:
+//   name: httpbin
+//   namespace : httpbin-ns
+// spec:
+//   hosts:
+//   - httpbin.com
+//   location: MESH_INTERNAL
+//   ports:
+//   - number: 80
+//     name: http
+//     protocol: HTTP
+//   resolution: STATIC
+//   endpoints:
+//   - address: 2.2.2.2
+//   - address: 3.3.3.3
+//   subjectAltNames:
+//   - "spiffe://cluster.local/ns/httpbin-ns/sa/httpbin-service-account"
+// ```
+//
 message ServiceEntry {
   // REQUIRED. The hosts associated with the ServiceEntry. Could be a DNS
   // name with wildcard prefix (external services only). DNS names in hosts
@@ -461,4 +488,11 @@ message ServiceEntry {
   // the annotation "networking.istio.io/export_to" to a comma-separated list
   // of namespace names.
   repeated string export_to = 7;
+
+  // The list of subject alternate names allowed for workloads that
+  // implement this service. This information is used to enforce
+  // secure-naming <https://istio.io/docs/concepts/security/#secure-naming>.
+  // If specified, the proxy will verify that the server
+  // certificate's subject alternate name matches one of the specified values.
+  repeated string subject_alt_names = 8;
 }
diff --git a/proto.lock b/proto.lock
index 18877af3..408a2f7f 100644
--- a/proto.lock
+++ b/proto.lock
@@ -3455,6 +3455,12 @@
                 "name": "export_to",
                 "type": "string",
                 "is_repeated": true
+              },
+              {
+                "id": 8,
+                "name": "subject_alt_names",
+                "type": "string",
+                "is_repeated": true
               }
             ],
             "messages": [
diff --git a/python/istio_api/networking/v1alpha3/service_entry_pb2.py b/python/istio_api/networking/v1alpha3/service_entry_pb2.py
index 98a378aa..c7040432 100644
--- a/python/istio_api/networking/v1alpha3/service_entry_pb2.py
+++ b/python/istio_api/networking/v1alpha3/service_entry_pb2.py
@@ -20,7 +20,7 @@ DESCRIPTOR = _descriptor.FileDescriptor(
   name='networking/v1alpha3/service_entry.proto',
   package='istio.networking.v1alpha3',
   syntax='proto3',
-  serialized_pb=_b('\n\'networking/v1alpha3/service_entry.proto\x12\x19istio.networking.v1alpha3\x1a!networking/v1alpha3/gateway.proto\"\xeb\x05\n\x0cServiceEntry\x12\r\n\x05hosts\x18\x01 \x03(\t\x12\x11\n\taddresses\x18\x02 \x03(\t\x12.\n\x05ports\x18\x03 \x03(\x0b\x32\x1f.istio.networking.v1alpha3.Port\x12\x42\n\x08location\x18\x04 \x01(\x0e\x32\x30.istio.networking.v1alpha3.ServiceEntry.Location\x12\x46\n\nresolution\x18\x05 \x01(\x0e\x32\x32.istio.networking.v1alpha3.ServiceEntry.Resolution\x12\x43\n\tendpoints\x18\x06 \x03(\x0b\x32\x30.istio.networking.v1alpha3.ServiceEntry.Endpoint\x12\x11\n\texport_to\x18\x07 \x03(\t\x1a\xc5\x02\n\x08\x45ndpoint\x12\x0f\n\x07\x61\x64\x64ress\x18\x01 \x01(\t\x12J\n\x05ports\x18\x02 \x03(\x0b\x32;.istio.networking.v1alpha3.ServiceEntry.Endpoint.PortsEntry\x12L\n\x06labels\x18\x03 \x03(\x0b\x32<.istio.networking.v1alpha3.ServiceEntry.Endpoint.LabelsEntry\x12\x0f\n\x07network\x18\x04 \x01(\t\x12\x10\n\x08locality\x18\x05 \x01(\t\x12\x0e\n\x06weight\x18\x06 \x01(\r\x1a,\n\nPortsEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\r:\x02\x38\x01\x1a-\n\x0bLabelsEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\t:\x02\x38\x01\"0\n\x08Location\x12\x11\n\rMESH_EXTERNAL\x10\x00\x12\x11\n\rMESH_INTERNAL\x10\x01\"+\n\nResolution\x12\x08\n\x04NONE\x10\x00\x12\n\n\x06STATIC\x10\x01\x12\x07\n\x03\x44NS\x10\x02\x42\"Z istio.io/api/networking/v1alpha3b\x06proto3')
+  serialized_pb=_b('\n\'networking/v1alpha3/service_entry.proto\x12\x19istio.networking.v1alpha3\x1a!networking/v1alpha3/gateway.proto\"\x86\x06\n\x0cServiceEntry\x12\r\n\x05hosts\x18\x01 \x03(\t\x12\x11\n\taddresses\x18\x02 \x03(\t\x12.\n\x05ports\x18\x03 \x03(\x0b\x32\x1f.istio.networking.v1alpha3.Port\x12\x42\n\x08location\x18\x04 \x01(\x0e\x32\x30.istio.networking.v1alpha3.ServiceEntry.Location\x12\x46\n\nresolution\x18\x05 \x01(\x0e\x32\x32.istio.networking.v1alpha3.ServiceEntry.Resolution\x12\x43\n\tendpoints\x18\x06 \x03(\x0b\x32\x30.istio.networking.v1alpha3.ServiceEntry.Endpoint\x12\x11\n\texport_to\x18\x07 \x03(\t\x12\x19\n\x11subject_alt_names\x18\x08 \x03(\t\x1a\xc5\x02\n\x08\x45ndpoint\x12\x0f\n\x07\x61\x64\x64ress\x18\x01 \x01(\t\x12J\n\x05ports\x18\x02 \x03(\x0b\x32;.istio.networking.v1alpha3.ServiceEntry.Endpoint.PortsEntry\x12L\n\x06labels\x18\x03 \x03(\x0b\x32<.istio.networking.v1alpha3.ServiceEntry.Endpoint.LabelsEntry\x12\x0f\n\x07network\x18\x04 \x01(\t\x12\x10\n\x08locality\x18\x05 \x01(\t\x12\x0e\n\x06weight\x18\x06 \x01(\r\x1a,\n\nPortsEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\r:\x02\x38\x01\x1a-\n\x0bLabelsEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\t:\x02\x38\x01\"0\n\x08Location\x12\x11\n\rMESH_EXTERNAL\x10\x00\x12\x11\n\rMESH_INTERNAL\x10\x01\"+\n\nResolution\x12\x08\n\x04NONE\x10\x00\x12\n\n\x06STATIC\x10\x01\x12\x07\n\x03\x44NS\x10\x02\x42\"Z istio.io/api/networking/v1alpha3b\x06proto3')
   ,
   dependencies=[networking_dot_v1alpha3_dot_gateway__pb2.DESCRIPTOR,])
 
@@ -43,8 +43,8 @@ _SERVICEENTRY_LOCATION = _descriptor.EnumDescriptor(
   ],
   containing_type=None,
   options=None,
-  serialized_start=760,
-  serialized_end=808,
+  serialized_start=787,
+  serialized_end=835,
 )
 _sym_db.RegisterEnumDescriptor(_SERVICEENTRY_LOCATION)
 
@@ -69,8 +69,8 @@ _SERVICEENTRY_RESOLUTION = _descriptor.EnumDescriptor(
   ],
   containing_type=None,
   options=None,
-  serialized_start=810,
-  serialized_end=853,
+  serialized_start=837,
+  serialized_end=880,
 )
 _sym_db.RegisterEnumDescriptor(_SERVICEENTRY_RESOLUTION)
 
@@ -108,8 +108,8 @@ _SERVICEENTRY_ENDPOINT_PORTSENTRY = _descriptor.Descriptor(
   extension_ranges=[],
   oneofs=[
   ],
-  serialized_start=667,
-  serialized_end=711,
+  serialized_start=694,
+  serialized_end=738,
 )
 
 _SERVICEENTRY_ENDPOINT_LABELSENTRY = _descriptor.Descriptor(
@@ -145,8 +145,8 @@ _SERVICEENTRY_ENDPOINT_LABELSENTRY = _descriptor.Descriptor(
   extension_ranges=[],
   oneofs=[
   ],
-  serialized_start=713,
-  serialized_end=758,
+  serialized_start=740,
+  serialized_end=785,
 )
 
 _SERVICEENTRY_ENDPOINT = _descriptor.Descriptor(
@@ -210,8 +210,8 @@ _SERVICEENTRY_ENDPOINT = _descriptor.Descriptor(
   extension_ranges=[],
   oneofs=[
   ],
-  serialized_start=433,
-  serialized_end=758,
+  serialized_start=460,
+  serialized_end=785,
 )
 
 _SERVICEENTRY = _descriptor.Descriptor(
@@ -270,6 +270,13 @@ _SERVICEENTRY = _descriptor.Descriptor(
       message_type=None, enum_type=None, containing_type=None,
       is_extension=False, extension_scope=None,
       options=None, file=DESCRIPTOR),
+    _descriptor.FieldDescriptor(
+      name='subject_alt_names', full_name='istio.networking.v1alpha3.ServiceEntry.subject_alt_names', index=7,
+      number=8, type=9, cpp_type=9, label=3,
+      has_default_value=False, default_value=[],
+      message_type=None, enum_type=None, containing_type=None,
+      is_extension=False, extension_scope=None,
+      options=None, file=DESCRIPTOR),
   ],
   extensions=[
   ],
@@ -285,7 +292,7 @@ _SERVICEENTRY = _descriptor.Descriptor(
   oneofs=[
   ],
   serialized_start=106,
-  serialized_end=853,
+  serialized_end=880,
 )
 
 _SERVICEENTRY_ENDPOINT_PORTSENTRY.containing_type = _SERVICEENTRY_ENDPOINT