authn: include trust domains from cacertificates in san validator

This CL includes the trust domains from the meshConfig caCertificates
in the SAN validator. Without this change, we need to completely
disable that validation with the PILOT_SKIP_VALIDATE_TRUST_DOMAIN env
var. Backported from: istio#43536.

Change-Id: If5e791b23d0ced48000995ac45ebcbdffd3447d4
Reviewed-on: https://gerrit.musta.ch/c/public/istio/+/4471
Reviewed-by: Ying Zhu <ying.zhu@airbnb.com>

pilot/pkg/networking/plugin/authn/util.go

@@ -26,6 +26,9 @@ func TrustDomainsForValidation(meshConfig *meshconfig.MeshConfig) []string {
 	}
 
 	tds := append([]string{meshConfig.TrustDomain}, meshConfig.TrustDomainAliases...)
+	for _, cacert := range meshConfig.GetCaCertificates() {
+		tds = append(tds, cacert.GetTrustDomains()...)
+	}
 	return dedupTrustDomains(tds)
 }
 

pilot/pkg/networking/plugin/authn/util_test.go

@@ -60,6 +60,26 @@ func TestTrustDomainsForValidation(t *testing.T) {
 			},
 			want: []string{"cluster.local", "alias-1.domain", "alias-2.domain", "some-other-alias-1.domain"},
 		},
+		{
+			name: "Extra trust domains in mesh config caCertificates",
+			meshConfig: &meshconfig.MeshConfig{
+				TrustDomain: "cluster.local",
+				CaCertificates: []*meshconfig.MeshConfig_CertificateData{
+					{
+						TrustDomains: []string{
+							"external-1.domain",
+						},
+					},
+					{
+						TrustDomains: []string{
+							"external-2.domain",
+							"external-3.domain",
+						},
+					},
+				},
+			},
+			want: []string{"cluster.local", "external-1.domain", "external-2.domain", "external-3.domain"},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

releasenotes/notes/add_trust_domans_san_validator.yaml

@@ -0,0 +1,10 @@
+apiVersion: release-notes/v2
+kind: feature
+area: security
+
+issue:
+ - https://github.com/istio/istio/issues/41666
+
+releaseNotes:
+  - |
+    **Added** support for pushing additional federated trust domains from caCertificates to the peer SAN validator.