feat(meshexternalservice): add servername (#10445)

Signed-off-by: Lukasz Dziedziak <lukidzi@gmail.com>

app/kumactl/cmd/install/testdata/install-control-plane.defaults.golden.yaml

@@ -427,6 +427,10 @@ spec:
                         - Secured
                         - SkipAll
                         type: string
+                      serverName:
+                        description: ServerName overrides the default Server Name
+                          Indicator set by Kuma.
+                        type: string
                       subjectAltNames:
                         description: SubjectAltNames list of names to verify in the
                           certificate.

app/kumactl/cmd/install/testdata/install-control-plane.gateway-api-present.yaml

@@ -427,6 +427,10 @@ spec:
                         - Secured
                         - SkipAll
                         type: string
+                      serverName:
+                        description: ServerName overrides the default Server Name
+                          Indicator set by Kuma.
+                        type: string
                       subjectAltNames:
                         description: SubjectAltNames list of names to verify in the
                           certificate.

app/kumactl/cmd/install/testdata/install-control-plane.with-helm-set.yaml

@@ -447,6 +447,10 @@ spec:
                         - Secured
                         - SkipAll
                         type: string
+                      serverName:
+                        description: ServerName overrides the default Server Name
+                          Indicator set by Kuma.
+                        type: string
                       subjectAltNames:
                         description: SubjectAltNames list of names to verify in the
                           certificate.

app/kumactl/cmd/install/testdata/install-crds.all.golden.yaml

@@ -2026,6 +2026,10 @@ spec:
                         - Secured
                         - SkipAll
                         type: string
+                      serverName:
+                        description: ServerName overrides the default Server Name
+                          Indicator set by Kuma.
+                        type: string
                       subjectAltNames:
                         description: SubjectAltNames list of names to verify in the
                           certificate.

deployments/charts/kuma/crds/kuma.io_meshexternalservices.yaml

@@ -180,6 +180,10 @@ spec:
                         - Secured
                         - SkipAll
                         type: string
+                      serverName:
+                        description: ServerName overrides the default Server Name
+                          Indicator set by Kuma.
+                        type: string
                       subjectAltNames:
                         description: SubjectAltNames list of names to verify in the
                           certificate.

docs/generated/raw/crds/kuma.io_meshexternalservices.yaml

@@ -180,6 +180,10 @@ spec:
                         - Secured
                         - SkipAll
                         type: string
+                      serverName:
+                        description: ServerName overrides the default Server Name
+                          Indicator set by Kuma.
+                        type: string
                       subjectAltNames:
                         description: SubjectAltNames list of names to verify in the
                           certificate.

pkg/core/resources/apis/meshexternalservice/api/v1alpha1/meshexternalservice.go

@@ -127,6 +127,8 @@ type Verification struct {
 	// Mode defines if proxy should skip verification, one of `SkipSAN`, `SkipCA`, `Secured`, `SkipAll`. Default `Secured`.
 	// +kubebuilder:default=Secured
 	Mode *VerificationMode `json:"mode,omitempty"`
+	// ServerName overrides the default Server Name Indicator set by Kuma.
+	ServerName *string `json:"serverName,omitempty"`
 	// SubjectAltNames list of names to verify in the certificate.
 	SubjectAltNames *[]SANMatch `json:"subjectAltNames,omitempty"`
 	// CaCert defines a certificate of CA.

pkg/core/resources/apis/meshexternalservice/api/v1alpha1/schema.yaml

@@ -139,6 +139,9 @@ properties:
                   - Secured
                   - SkipAll
                 type: string
+              serverName:
+                description: ServerName overrides the default Server Name Indicator set by Kuma.
+                type: string
               subjectAltNames:
                 description: SubjectAltNames list of names to verify in the certificate.
                 items:

pkg/core/resources/apis/meshexternalservice/api/v1alpha1/testdata/full-invalid.input.yaml

@@ -15,6 +15,7 @@ tls:
     min: TLS15
     max: TLS16
   verification:
+    serverName: not[]valid
     mode: Unknown
     subjectAltNames:
       - type: Regex

pkg/core/resources/apis/meshexternalservice/api/v1alpha1/testdata/full-invalid.output.yaml

@@ -19,6 +19,8 @@ violations:
   message: '"min" must be one of ["TLSAuto", "TLS10", "TLS11", "TLS12", "TLS13"]'
 - field: spec.tls.version.max
   message: '"max" must be one of ["TLSAuto", "TLS10", "TLS11", "TLS12", "TLS13"]'
+- field: spec.tls.verification.serverName
+  message: must be a valid DNS name
 - field: spec.tls.verification.mode
   message: '"mode" must be one of ["SkipSAN", "SkipCA", "SkipAll", "Secured"]'
 - field: spec.tls.verification.subjectAltNames[0].type

pkg/core/resources/apis/meshexternalservice/api/v1alpha1/testdata/full-without-extension-valid.input.yaml

@@ -14,6 +14,7 @@ tls:
     max: TLS13
   allowRenegotiation: false
   verification:
+    serverName: "example.com"
     subjectAltNames:
       - type: Exact
         value: example.com

pkg/core/resources/apis/meshexternalservice/api/v1alpha1/validator.go

@@ -50,6 +50,9 @@ func validateTls(tls *Tls) validators.ValidationError {
 
 	if tls.Verification != nil {
 		path := validators.RootedAt("verification")
+		if tls.Verification.ServerName != nil && !govalidator.IsDNSName(*tls.Verification.ServerName) {
+			verr.AddViolationAt(path.Field("serverName"), "must be a valid DNS name")
+		}
 		if tls.Verification.Mode != nil {
 			if !slices.Contains(allVerificationModes, string(*tls.Verification.Mode)) {
 				verr.AddErrorAt(path.Field("mode"), validators.MakeFieldMustBeOneOfErr("mode", allVerificationModes...))

pkg/core/resources/apis/meshexternalservice/k8s/crd/kuma.io_meshexternalservices.yaml

@@ -180,6 +180,10 @@ spec:
                         - Secured
                         - SkipAll
                         type: string
+                      serverName:
+                        description: ServerName overrides the default Server Name
+                          Indicator set by Kuma.
+                        type: string
                       subjectAltNames:
                         description: SubjectAltNames list of names to verify in the
                           certificate.