OSSM-755: Fix TLS certs used in tests for feature security.egress.tls

Integration tests for feature `security.egress.tls.*` were failing,
because of failing TLS handshake with an alert message "UNKNOWN CA (48)".
The reason of this failure is that certificates used in these tests
don't pass verification when OpenSSL 1.1.1k or higher is used.
Those certificates pass verification on Ubuntu 20.04 which delivers
OpenSSL 1.1.1f  31 Mar 2020, but do not pass on CentOS Stream 8
or RHEL 8.6 which deliver OpenSSL 1.1.1k  FIPS 25 Mar 2021.

I noticed that root-cert.pem and cert-chain.pem had specified
the same common name, so as a workaround I added SAN as a prefix
to CN in the cert-chain.pem.

Signed-off-by: Jacek Ewertowski <jewertow@redhat.com>

tests/integration/security/egress_gateway_origination_test.go

@@ -45,8 +45,6 @@ import (
 // TestSimpleTlsOrigination test SIMPLE TLS mode with TLS origination happening at Gateway proxy
 // It uses CredentialName set in DestinationRule API to fetch secrets from k8s API server
 func TestSimpleTlsOrigination(t *testing.T) {
-	// FIXME: https://issues.redhat.com/browse/OSSM-755
-	t.Skip("https://github.com/istio/istio/issues/0")
 	framework.NewTest(t).
 		RequiresSingleNetwork(). // https://github.com/istio/istio/issues/37134
 		Features("security.egress.tls.sds").
@@ -117,8 +115,6 @@ func TestSimpleTlsOrigination(t *testing.T) {
 // TestMutualTlsOrigination test MUTUAL TLS mode with TLS origination happening at Gateway proxy
 // It uses CredentialName set in DestinationRule API to fetch secrets from k8s API server
 func TestMutualTlsOrigination(t *testing.T) {
-	// FIXME: https://issues.redhat.com/browse/OSSM-755
-	t.Skip("https://github.com/istio/istio/issues/0")
 	framework.NewTest(t).
 		RequiresSingleNetwork(). // https://github.com/istio/istio/issues/37134
 		Features("security.egress.mtls.sds").

tests/integration/security/filebased_tls_origination/destination_rule_tls_test.go

@@ -44,8 +44,6 @@ func mustReadFile(t framework.TestContext, f string) string {
 // TestDestinationRuleTls tests that MUTUAL tls mode is respected in DestinationRule.
 // This sets up a client and server with appropriate cert config and ensures we can successfully send a message.
 func TestDestinationRuleTls(t *testing.T) {
-	// FIXME: https://issues.redhat.com/browse/OSSM-755
-	t.Skip("https://github.com/istio/istio/issues/0")
 	framework.
 		NewTest(t).
 		Features("security.egress.tls.filebased").

tests/integration/security/filebased_tls_origination/egress_gateway_origination_test.go

@@ -59,8 +59,6 @@ func mustReadCert(t framework.TestContext, f string) string {
 // This test brings up an egress gateway to originate TLS connection. The test will ensure that requests
 // are routed securely through the egress gateway and that the TLS origination happens at the gateway.
 func TestEgressGatewayTls(t *testing.T) {
-	// FIXME: https://issues.redhat.com/browse/OSSM-755
-	t.Skip("https://github.com/istio/istio/issues/0")
 	framework.NewTest(t).
 		Features("security.egress.tls.filebased").
 		Run(func(t framework.TestContext) {

tests/testdata/certs/dns/cert-chain.pem

@@ -1,19 +1,19 @@
 -----BEGIN CERTIFICATE-----
-MIIDGDCCAgCgAwIBAgIUBR8+06vaC2wEuBS4nO31AV7GsNAwDQYJKoZIhvcNAQEL
-BQAwGDEWMBQGA1UEAwwNY2x1c3Rlci5sb2NhbDAgFw0yMjAzMTAyMTU1NTZaGA8y
-Mjk1MTIyNDIxNTU1NlowGDEWMBQGA1UEAwwNY2x1c3Rlci5sb2NhbDCCASIwDQYJ
-KoZIhvcNAQEBBQADggEPADCCAQoCggEBANVt8zppMJNiG+xHEMx9cTtaZPxtk+SV
-v9PhsjUE9P/YPbdGjwRMr4DBdhXAWLL6RhjatxWTV3M1Qo5gmJaR+SdazD7wVILx
-OJDX1scY3WxLlnCIzxEgSXItJDYy3zqPFFlrcW2Y65Twn6SPSON4SnRxSAzwdCXP
-THeQO86mHWg0rHC65tUO6A2SwTGzQJfjGYdTLCV1d2XGEpll3OwDeHPo3lbyf8HF
-4mOLB9m3q6RhtNxQxu5ZGf4lBrwzWNS4sdgZPN5anQGoHCs7MJWWKktBdKdwJX9N
-NGNxwxFuZeMwNLtb+w6oxsCEZS2fBpvmykkafdYuA3FOemYG6VCmbfsCAwEAAaNY
-MFYwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIG
-CCsGAQUFBwMBMB0GA1UdEQQWMBSCEnNlcnZlci5kZWZhdWx0LnN2YzANBgkqhkiG
-9w0BAQsFAAOCAQEARIY+Cp06hwJBehFbIwhFKq/yRyfYmYYXKWI/X8zNr2XFWt58
-TJy4ZBxomDLtwbGJJGddpy5t7FwkvmXs4ESK2h8hOcv/+aDJqP1BBDcNFgfIvyP4
-0WxxO4SQ14ln7qw7IvKUD5jbDEnhuj4BGMTmN/Yp/KnMrVooTCKbawYHURWcLKnz
-GciP+kyHg0QHlNLI1H5Q7DDTJ9sHhmSKR5okxXV87Awawt2GYkQkmFYtKsKHkedH
-XX9zHotzcZhoPosY0g2adnJ28NiVaxEAuw2eZBlLP4XSFXBPomq/zqv6NEiDWsDY
-6Pr5s/KpQ4qYGKOxWxHJMBh8m0fS5WsFgAl19Q==
+MIIDKzCCAhOgAwIBAgIUG18xx9CyNsDIZcgFBdrbxFxqIxswDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNY2x1c3Rlci5sb2NhbDAgFw0yMjEwMTkwOTU4NTFaGA8y
+Mjk2MDgwMzA5NTg1MVowKzEpMCcGA1UEAwwgc2VydmVyLmRlZmF1bHQuc3ZjLmNs
+dXN0ZXIubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4E4o3
+GwItAFrIWNz0ps/LZxm6iBn8G/67urLIxzlJldE2wnVsj5Bsmn5Jw4s+JcA1119e
+5D++7f5nYaEmjwWduSBchmP/hm4Fwd0k7FMn2Wgl3p/0HVSNmFtbXYPWLY/Ik7nO
+KE9XonCHaSsl4JBNYRTgfL3dmeT32fjuWsV4YvzZX7+f3YCgWG+fiS4Up1hAxKVU
+x05PDh9zgtGr5Y4WXJ7ZVcp2cad7VSuUU06/nrdG7pmx0rU3vPXjDuoaoZmqE2Tb
+TQq9NbLTClXwqs1lRJwjbCYzCi5DCxOPbeerfRDMcLsxKeEy7otduVJ7upVFWqqL
+S3Xmh2DX7k2W7cE/AgMBAAGjWDBWMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMB0G
+A1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAdBgNVHREEFjAUghJzZXJ2ZXIu
+ZGVmYXVsdC5zdmMwDQYJKoZIhvcNAQELBQADggEBAAjrBUnVrCfTEoDd4nxCfm06
+y/lQy1jQr85wDajibIMP0AUr8rWqcnyHYPTwhT4T9M8baTr/SW/aGlH+WCzFLPQX
+VfCphOka6mzcd9NSjM4TAaiCovfmc/eD05W1ec2PJtSXk6QREIyt1JliNSXMdoqg
+eQKgftWSxHTpl52FY/pfGuGJh45gURzzyPxQVhHxnmr1LLKB+g32ROzW5UljaMQg
+RKMQhpK32DEUGiRoho7rTbXd3sBn7yKaaMc/+kcV7ONImUCIMhMXQuRp6LSxnsOH
+7tuOTsuLRqPVT6jUJmRj9Lm9Ui9KGpy7bBkCOAyGqC2SINntUJ1lF9E1/rsY1vs=
 -----END CERTIFICATE-----

tests/testdata/certs/dns/key.pem

@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA1W3zOmkwk2Ib7EcQzH1xO1pk/G2T5JW/0+GyNQT0/9g9t0aP
-BEyvgMF2FcBYsvpGGNq3FZNXczVCjmCYlpH5J1rMPvBUgvE4kNfWxxjdbEuWcIjP
-ESBJci0kNjLfOo8UWWtxbZjrlPCfpI9I43hKdHFIDPB0Jc9Md5A7zqYdaDSscLrm
-1Q7oDZLBMbNAl+MZh1MsJXV3ZcYSmWXc7AN4c+jeVvJ/wcXiY4sH2berpGG03FDG
-7lkZ/iUGvDNY1Lix2Bk83lqdAagcKzswlZYqS0F0p3Alf000Y3HDEW5l4zA0u1v7
-DqjGwIRlLZ8Gm+bKSRp91i4DcU56ZgbpUKZt+wIDAQABAoIBADxMuC+EkKjTSzhS
-S7i6qEcwnt+CxgoLFQtz9LluERpHqggh8z4vvFYQUqCKm4TVmQBkqt15p3dxUMCR
-IgtIarBnwtT1aaslI+ooURInQEfcg0CAJqCcEqQjhNubO957ljA9XuqsDcMiyLfh
-k6JQ1hhX+RdOyEH2c5BEO+GCpURPOT+gynkyzbBrdAlwOPi2juxR5p+Kpuj5REkv
-g0zEHNdF1DZD3j/xGRss6oeaZMFej15CIEDCnlBqsIOonDV+Ss395LaeBBnV9EO8
-B9PPcFlR7SJJpikaq2AWnhMgUy2O/vJmTDlVbmO244BX0lBW36ts4DsjdL3NK2n4
-0ryKrUECgYEA9NhlAdnuTh2nrAFWI1qrqk5IpbRHY1aAG/h0yZ0y1CxnJejseWWP
-dyaKj+HnBD2dppgd27tvnTZBUdu0lA1t/U/wCIHYnd7LE8pRQxqafwr1/aFkcfpH
-t24N7j1/HQOpeI0OgbsRh5yUUsQLjA1qGJI4cjf8AvBOGeYd9uLW9GMCgYEA3yco
-BM7sFA7fWiPcjjYWwU8KX7Wu9Pv4TMH173ejGs2i2rd3KzHqFeazS/ByaWjSUFfB
-dN1fhJeKUrxr96DukL8ffTBkpe8D/h/DHFMekDJ+JPNCY+ZYGt4GOldNfXDVevVu
-85uStzBAtx3uI8h763mLOT4/f2h5wFo+toQwV4kCgYEAkWSyzl+gYGjBuaVthj8A
-c3hbMXMVdUrXdkSa7WJY3Z+kfOGNEyWZBPMxEvHdoioIpPXtvR7Xz655KWfjGovD
-BcpjSln4zP6Q7yaUDNoOZmSW4M7m+7vYvHcw9Ik2I3+aMkjpFWaFqVb0yRU7miYZ
-G5Awzrqp/wC+ECkTIBlh9esCgYEA3xaYLWZoIQ1VQRpE7m8ohIzuRAywIf6clq/5
-nDMwfiVCQAHWQvqdmNOQP8TbvIGsb+GrZ5fAXB/biycPkPn0RgSsCE2O8Uxn43AB
-cJmwHlw8O9htcM3hGssH0t9gep2I7mnbR/Mp07WLnQVxA5j0Oc7C3rFabZcW0LPn
-qjOw2HECgYASZQMR4y4HO3VdwEWHliosL+kF6xwCzWW6mHGwcnuxeIkR8QBcW3Ve
-1UkKoDE96/b99YTN9UlKP26TCSSmkdLedaLkxm5VJX2o87doRd+fcaZKe5ZvBWd3
-CG4b/ufvc5437DgRqxbGBUVGKOlw9YZ8Mr9y+32P5XFfSjuE2K0Lrw==
+MIIEpAIBAAKCAQEAuBOKNxsCLQBayFjc9KbPy2cZuogZ/Bv+u7qyyMc5SZXRNsJ1
+bI+QbJp+ScOLPiXANddfXuQ/vu3+Z2GhJo8FnbkgXIZj/4ZuBcHdJOxTJ9loJd6f
+9B1UjZhbW12D1i2PyJO5zihPV6Jwh2krJeCQTWEU4Hy93Znk99n47lrFeGL82V+/
+n92AoFhvn4kuFKdYQMSlVMdOTw4fc4LRq+WOFlye2VXKdnGne1UrlFNOv563Ru6Z
+sdK1N7z14w7qGqGZqhNk200KvTWy0wpV8KrNZUScI2wmMwouQwsTj23nq30QzHC7
+MSnhMu6LXblSe7qVRVqqi0t15odg1+5Nlu3BPwIDAQABAoIBADa74Ko4BrKY22Wd
+Pr4kZ78kffsAAzH6pQjvH8AhtQATYy00LzRDj/8rBQgr89hb40ZfLwWJOwcrvyzA
+U+miN1pJtLyuXUeaklZ16arT9nnv5E72Xnt4yS59MhT9vnjN/WX3vxT02XrGW014
+URMnLeFET6/ch5w/6VxlXOaK6RK9YyS0tqmta9wzrXJwoP0vGeNQHbWNR3agdPU3
+o9n2N9V2XSysZjTCdSvkldG56Fs8hdF44eDA6zo6JUpUp+7WOnko4LrCL5IqKoHB
+Nu7nn3IUKYQNqw34eSfSyMryZhdtoS/jYP72zfVU1jLk4oguyoE+RZ1HvqYljD44
+zexbo9kCgYEA4HFuhcL1l8BdMK1E8iD9PmxegNR84OQaSL5OKmkp98BmpQKAgqrK
+8R8/E5Rui/XmNV25ki1mCldsMApUU4g8od1VmEszQIsOMgLmMTSLomRfkGFPRNWg
+RV5S8enDrgnF2jY+09G5Tfd4rPM+Pe4Og5CKYJJV5fcUeGufIeGnDIMCgYEA0fUn
+REMi+sJgdSk7CF2MFP1mP1TIAOGlYIgwykn/IIcXKigNKqs1FBm4uFGpYXerOau+
+REEWSs2/grk9gfd0dyuw1Ze/YH3GLPy0lqgy5SUhsQS2/RawxNQdbCZ/IqhNC5vg
+NOBa+p5OPaLdEDRFV5uN3s6Z10U+aFB/aGK3U5UCgYEAhgH0NZV0QckvWxL5aYBc
+9FqMCmvUrApFz00hKp1j23NbVgaqaFpFlbZMWQp0/sgxTYfKdwb4OBB+nihstPtR
+CGw44Rd1YIImVaH5g0OWY71+eZxAUh8i9IgfCiXDGjTnlyRwWtSLyYuK1+jcLunm
+bJNuq75z3zypUkUf3ID41rUCgYA0GqrL/f1ITcSyTrEfuldxPhGJ1fhsf5MTCblR
++lseL2hIRfg+ho59loSI+XsXfSM5BK4LMjveBIFqZ54kCs0UZftUhnwv7gaoU25d
+lRBMXZKm44yl8mOb9Sf4FvWmHC5Cm0Rg2uy5FWBFW42Q3+f1fd0PViZHjh+Ws6Nq
+vFTSoQKBgQCeqUWHsX3+18fFzfmXHP2usnYtsRSPnNH0caZSy7orWHlzgz0UUlPY
+tZM4S4kfOfyT2jv1Vq+fx0I3gDw07047ojEPhsl1l/7ZXQTCbjiw7pD11EqNywD7
+VdoOnxCXv+4FE/WWuajZJ7CLZodO4c6pKFXtx2StP6CUlGuQQuo+fA==
 -----END RSA PRIVATE KEY-----

tests/testdata/certs/dns/root-cert.pem

@@ -1,19 +1,19 @@
 -----BEGIN CERTIFICATE-----
-MIIDEzCCAfugAwIBAgIUVrbIMmhVsXlCEHyr2g6W+gLjKR8wDQYJKoZIhvcNAQEL
-BQAwGDEWMBQGA1UEAwwNY2x1c3Rlci5sb2NhbDAgFw0yMjAzMTAyMTU1NTZaGA8y
-Mjk1MTIyNDIxNTU1NlowGDEWMBQGA1UEAwwNY2x1c3Rlci5sb2NhbDCCASIwDQYJ
-KoZIhvcNAQEBBQADggEPADCCAQoCggEBAJYEJlVv05RB8BSIH6JmNXHAgVG0om1S
-9aLlb1YWICBxDvOA8zuUVJiJuTJFfFeaUgF8+1XUkcAoMVDCDkrv6cm8UurhDkCX
-9xypPE0uWQqSYXXcejWaP5m2XAewzD2V9XGqIHxelbR1/KEctWDiaEsFjas9pkvw
-DCD7H+HHoC+SRnPcS8hMjyHbB513Dfl9zM9QP2HVSpNs7X1mP/kVdGYp8FVKO5Y+
-aq+OiR8TjS6iwSNnBEHgcmIr/FMcS0aZRR3+45oOaPkYjme2SP2sCYUAeLdWLGde
-nF1Z4lfpR6nbBAVBi5EnwKavl1c1OhOTKfl1kHp0YEqt1BDal3NLlT0CAwEAAaNT
-MFEwHQYDVR0OBBYEFHC4luNXmIxiK/MVzECzLKfYdsZVMB8GA1UdIwQYMBaAFHC4
-luNXmIxiK/MVzECzLKfYdsZVMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL
-BQADggEBAInbHkl4siEErTZdNjrsBNZRrGrtixduE91hCj0b/JSziMOngEPH78hg
-gUeRN5GXV9JKfoPbMOgMtSUmpRPxVmbJUjl7/H0pK1AZtfPklZ9VOhQ3Tecnz2yq
-FnoXeiuvtvkvN9QqK2DYXXvUdh4R3aLS96CYi695kKOAVwA+u3Lc/du/yV5cayol
-1re5jNwMiXxLkNUDiLhL1MR/jkOXKEZZJ2Lt1+GdtofWIq/0TTYS11hfRTtaJjmv
-zu1jBBAGcVmk7yjmkv6P3Wbrdj1gKVkZSdOrTmCgY+LgJJ+CzEWMSwgcSOopj6nt
-YjpeyibNd4/fzmJGag3BYMjiLcmPUcU=
+MIIDEzCCAfugAwIBAgIUXsryxKB9kroA9eiWNFtXroZFrHgwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNY2x1c3Rlci5sb2NhbDAgFw0yMjEwMTkwOTU4NTFaGA8y
+Mjk2MDgwMzA5NTg1MVowGDEWMBQGA1UEAwwNY2x1c3Rlci5sb2NhbDCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBALlX6IzFytEYKDr1v/uUofPldQGOSdH7
+ShTaC3JD1PfNYTri22KCXFbtkuV15g3d/FY0yJT9KAiL1/j2xMtyXbCW0g+YzaGy
+uPLJ0miJZtYcnOLPF8Wlpy0oBL7jLQf4vvMYVFnE8rSJb5XFwloguIjm4Ww5z8Rr
+nrXG3Pji+o4eY/WaYgHecjNrzI97mDg8Lk+PC7kql2CgEYuEVxIchq7a12xCe6q6
+cJjdXW63TmPjd9Vavmhf1rf5C19zCRJ4cXrEzLkt8j9U07tD7od5nbdmXeteoBnk
+pc1lpAlKEMUBUZ2sq8cyeCfcvRkBIopz1FyAtfKlzMWdWXh1nCp76Q0CAwEAAaNT
+MFEwHQYDVR0OBBYEFEE1l5f6OYxeoakTGmfS7Y5yoixOMB8GA1UdIwQYMBaAFEE1
+l5f6OYxeoakTGmfS7Y5yoixOMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL
+BQADggEBAAycH6K8fcmO8inuzZuGwbB4pQ6vN8Y3YUlOhxFR9yt1hGoUasQ0DVnX
+sUXR12bwu46z5GERx3vtUM7fJKSGAIcwD3uxz6JbsTBom2XJxa+4yRO0dV/Pkupv
+/be4I+gHeIE4tH2/iao9gLIduQrtUZdeVfDKhjW7nts/ZG4noFZsgVCxR9p9wAUZ
+Hu+N03It+dbM9lQXqE1cQPAr2QiDBaHDYfohAPmWffgdG7YhqW7PosWavvRRwXsW
+1CWDhIX/a+Omm554iIVbYYPQVIpdnGovFSRVxn0KZb4soItSMTAVA+Gztz/aPQcE
+ZKkYiEYV1brpDxoqYYxJFZvNWAg6ZuI=
 -----END CERTIFICATE-----

tests/testdata/certs/generate.sh

@@ -121,7 +121,7 @@ openssl x509 -req -in "${WD}/client.csr" -CA "${WD}/pilot/root-cert.pem" -CAkey
 
 # Create a DNS client certificate
 openssl genrsa -out "${WD}/dns/key.pem" 2048
-openssl req -new -sha256 -key "${WD}/dns/key.pem" -out "${WD}/dns-client.csr" -subj "/CN=cluster.local" -config "${WD}/dns-client.conf"
+openssl req -new -sha256 -key "${WD}/dns/key.pem" -out "${WD}/dns-client.csr" -subj "/CN=server.default.svc.cluster.local" -config "${WD}/dns-client.conf"
 openssl x509 -req -in "${WD}/dns-client.csr" -CA "${WD}/pilot/root-cert.pem" -CAkey "${WD}/pilot/ca-key.pem" -CAcreateserial -out "${WD}/dns/cert-chain.pem" -days 100000 -extensions v3_req -extfile "${WD}/dns-client.conf"
 
 # Create a server certificate for MountedCerts test