[release-1.26] Add new CLI flag to enable TLS SAN CN filtering

[brandond]

Proposed Changes

Add new CLI flag to enable TLS SAN CN filtering.

Flag defaults to true on 1.28+, false on older branches.

Types of Changes

security, bugfix

Verification

See testing steps from #7312 - setting the flag to false should retain previous behavior.

Testing

Linked Issues

• [Release-1.26] - CA cert validation failure on additional server nodes prevents joining without explicitly configuring node-external-ip #8254

User-Facing Change

Added a new `--tls-san-security` option. This flag defaults to false, but can be set to true to disable automatically adding SANs to the server's TLS certificate to satisfy any hostname requested by a client.

Further Comments

[codecov]

Codecov Report

Patch coverage has no change and project coverage change: -0.01% ⚠️

Comparison is base (bff646b) 19.49% compared to head (a2648f5) 19.49%.

Additional details and impacted files

@@               Coverage Diff                @@
##           release-1.26    #8258      +/-   ##
================================================
- Coverage         19.49%   19.49%   -0.01%     
================================================
  Files                83       83              
  Lines              5601     5602       +1     
================================================
  Hits               1092     1092              
- Misses             4283     4284       +1     
  Partials            226      226              

Flag	Coverage Δ
unittests	19.49% <0.00%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files Changed	Coverage Δ
pkg/cli/cmds/server.go	0.00% <ø> (ø)
pkg/cluster/https.go	0.00% <0.00%> (ø)
pkg/daemons/config/types.go	67.21% <ø> (ø)

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.