fix : make ambient work with intermidiary certs

[yuval-k]

make the test certs logic resemble more what the control plane does, and add a test that the certs loaded correctly.

This solves two problems:

• If the cert-chain has multiple certs. using stack_from_pem instead of from_pem solves that.
• Sometimes the user might add the root cert to the chain as well. While technically a user error , we should be forgiving, to prevent user frustration. So I added dedup_by that removes to adjacent certs that are the same.

Fixes istio/istio#46995.

[istio-policy-bot]

😊 Welcome @yuval-k! This is either your first contribution to the Istio ztunnel repo, or it's been
a while since you've been here.

You can learn more about the Istio working groups, Code of Conduct, and contribution guidelines
by referring to Contributing to Istio.

Thanks for contributing!

Courtesy of your friendly welcome wagon.

[istio-testing]

Hi @yuval-k. Thanks for your PR.

I'm waiting for a istio member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[linsun]

/ok-to-test

[hzxuzhonghu]

do we need to dedup, when can this happen

[yuval-k]

I mentioned that in the PR description

Sometimes the user might add the root cert to the chain as well. While technically a user error , we should be forgiving, to prevent user frustration. So I added dedup_by that removes to adjacent certs that are the same.

[yuval-k]

note that if you don't dedupe them you get this error:

tls error: invalid operation: ErrorStack([Error { code: 184549481, library: "X.509 certificate routines", function: "OPENSSL_internal", reason: "CERT_ALREADY_IN_HASH_TABLE", file: "../crypto/x509/x509_lu.c", line: 356 }])

[dhawton]

/cherry-pick release-1.19

[istio-testing]

@dhawton: #680 failed to apply on top of branch "release-1.19":

Applying: fix istio/istio#46995 - work with intermidiary certs
Using index info to reconstruct a base tree...
M	src/tls/boring.rs
Falling back to patching base and 3-way merge...
Auto-merging src/tls/boring.rs
CONFLICT (content): Merge conflict in src/tls/boring.rs
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 fix istio/istio#46995 - work with intermidiary certs
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherry-pick release-1.19

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[istio-testing]

@dhawton: new issue created for failed cherrypick: #687

In response to this:

/cherry-pick release-1.19

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.