Add details about auto_san_validation behavior (#15847)

* Add details about auto_san_validation behavior Signed-off-by: Faseela K <faseela.k@est.tech> * replace warning with tip Signed-off-by: Faseela K <faseela.k@est.tech> --------- Signed-off-by: Faseela K <faseela.k@est.tech>
2024-11-05 09:25:41 +01:00 · 2024-11-05 09:25:41 +01:00 · 76e8cb86a5
parent 042d0895d5
commit 76e8cb86a5
4 changed files with 15 additions and 2 deletions
--- a/content/en/boilerplates/auto-san-validation.md
+++ b/content/en/boilerplates/auto-san-validation.md
@ -0,0 +1,5 @@
+---
+---
+{{< tip >}}
+Istio has `auto_sni` and `auto_san_validation` enabled by default. This means, whenever there is no explicit `sni` set in your `DestinationRule`, transport socket SNI for new upstream connections will be set based on the downstream HTTP host/authority header. If there are no `subjectAltNames` set in the `DestinationRule` when `sni` is unset, `auto_san_validation` will kick in, and the upstream-presented certificate for new upstream connections will be automatically validated based on the downstream HTTP host/authority header.
+{{< /tip >}}
--- a/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/index.md
+++ b/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/index.md
@ -904,6 +904,8 @@ EOF

 {{< /tabset >}}

+{{< boilerplate auto-san-validation >}}
+
 5)  Verify that the credential is supplied to the egress gateway and active:

 {{< tabset category-name="config-api" >}}
--- a/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/index.md
+++ b/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/index.md
@ -449,13 +449,17 @@ to hold the configuration of the NGINX server:
          tls:
            mode: MUTUAL
            credentialName: client-credential # this must match the secret created earlier to hold client certs, and works only when DR has a workloadSelector
-            sni: my-nginx.mesh-external.svc.cluster.local # this is optional
+            sni: my-nginx.mesh-external.svc.cluster.local
+            # subjectAltNames: # can be enabled if the certificate was generated with SAN as specified in previous section
+            # - my-nginx.mesh-external.svc.cluster.local
    EOF
    {{< /text >}}

    The above `DestinationRule` will perform mTLS origination for HTTP requests on port 80 and the `ServiceEntry`
    will then redirect the requests on port 80 to target port 443.

+    {{< boilerplate auto-san-validation >}}
+
 1.  Verify that the credential is supplied to the sidecar and active.

    {{< text bash >}}
--- a/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/snips.sh
+++ b/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/snips.sh
@ -286,7 +286,9 @@ spec:
      tls:
        mode: MUTUAL
        credentialName: client-credential # this must match the secret created earlier to hold client certs, and works only when DR has a workloadSelector
-        sni: my-nginx.mesh-external.svc.cluster.local # this is optional
+        sni: my-nginx.mesh-external.svc.cluster.local
+        # subjectAltNames: # can be enabled if the certificate was generated with SAN as specified in previous section
+        # - my-nginx.mesh-external.svc.cluster.local
 EOF
 }