multi-network: fix eastwest gateway endpoint filtering

[stevenctl]

I think this fixes/helps with #38704

Gateways care about server settings only (authn, and tlsMode labels) when doing this filtering.

We will filter out servers that we don't think accept mTLS (DISABLED or tlsMode: none). If a client somehow sent non-mTLS traffic, they would have to spoof SNI and then the server would deny them anyway.

[nmittler]

@stevenctl can you also update this test to include a Count > 1? This test passing in multi-network actually relies on Count==1, which is incredibly fragile.

[hzxuzhonghu]

It needs a test

[stevenctl]

Adjusted a test per @nmittler comment. His PR #37914 improves coverage much more.

[howardjohn]

I think this makes sense, will let the others that commented take a look as well

[stevenctl]

It needs a test

Nathan's PR added tests. This PR removed the need for the global DestinationRule

[hzxuzhonghu]

What;'s the behavior with tls disabled before and after? IIUC, for east-west gateway the cluster will include cluster local endpoints.

[stevenctl]

This makes it so TLS disabled in DR doesn't affect passthrough gateways (the endpoint will remain). That DR based filtering makes it so clients can't send plaintext that will inevitably fail since we require TLS/SNI.

If a server is plaintext, we still remove the endpoint from the gateway.

[stevenctl]

will include cluster local endpoints.

Network local, non plaintext endpoints.

[hzxuzhonghu]

Network local, non plaintext endpoints.

Looks good

[istio-testing]

In response to a cherrypick label: #38762 failed to apply on top of branch "release-1.13":

Applying: multi-network: prevent eastwest gateway endpoint filtering
Applying: rel note
Applying: skip check for 500s
Using index info to reconstruct a base tree...
A	pkg/test/framework/components/echo/check/checkers.go
Falling back to patching base and 3-way merge...
CONFLICT (add/add): Merge conflict in tests/integration/security/authorization_test.go
Auto-merging tests/integration/security/authorization_test.go
CONFLICT (modify/delete): pkg/test/framework/components/echo/check/checkers.go deleted in HEAD and modified in skip check for 500s. Version skip check for 500s of pkg/test/framework/components/echo/check/checkers.go left in tree.
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0003 skip check for 500s
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

[istio-testing]

In response to a cherrypick label: new issue created for failed cherrypick: #39226

[istio-testing]

In response to a cherrypick label: #38762 failed to apply on top of branch "release-1.13":

Applying: multi-network: prevent eastwest gateway endpoint filtering
Applying: rel note
Applying: skip check for 500s
Using index info to reconstruct a base tree...
A	pkg/test/framework/components/echo/check/checkers.go
Falling back to patching base and 3-way merge...
CONFLICT (add/add): Merge conflict in tests/integration/security/authorization_test.go
Auto-merging tests/integration/security/authorization_test.go
CONFLICT (modify/delete): pkg/test/framework/components/echo/check/checkers.go deleted in HEAD and modified in skip check for 500s. Version skip check for 500s of pkg/test/framework/components/echo/check/checkers.go left in tree.
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0003 skip check for 500s
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

[istio-testing]

In response to a cherrypick label: new issue created for failed cherrypick: #39227

[istio-testing]

In response to a cherrypick label: #38762 failed to apply on top of branch "release-1.14":

Applying: multi-network: prevent eastwest gateway endpoint filtering
Applying: rel note
Applying: skip check for 500s
Using index info to reconstruct a base tree...
Falling back to patching base and 3-way merge...
CONFLICT (add/add): Merge conflict in tests/integration/security/authorization_test.go
Auto-merging tests/integration/security/authorization_test.go
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0003 skip check for 500s
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

[istio-testing]

In response to a cherrypick label: new issue created for failed cherrypick: #39228

[istio-testing]

In response to a cherrypick label: #38762 failed to apply on top of branch "release-1.14":

Applying: multi-network: prevent eastwest gateway endpoint filtering
Applying: rel note
Applying: skip check for 500s
Using index info to reconstruct a base tree...
Falling back to patching base and 3-way merge...
CONFLICT (add/add): Merge conflict in tests/integration/security/authorization_test.go
Auto-merging tests/integration/security/authorization_test.go
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0003 skip check for 500s
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

[istio-testing]

In response to a cherrypick label: new issue created for failed cherrypick: #39229

[nmittler]

@stevenctl this seems to have broken TestAuthz_EgressGateway, leading to the flakes related to that test in #39255.

Specifically, calls will fail when they follow the path source->eastwest->egress->target. They fail in the east-west gateway, because there are no endpoints for the SNI route for the egress-gateway.

I tried forcibly adding a DR to the istio-system namespace:

apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: test-egress
  namespace: istio-system
spec:
  host: "istio-egressgateway.istio-system.svc.cluster.local"
  trafficPolicy:
    portLevelSettings:
      - port:
          number: 443
        tls:
          mode: ISTIO_MUTUAL

... but it had no effect (still no endpoints for the egress gateway SNI route).

I locally rolled back this change and it works fine.

[nmittler]

I opened #39330