istio · wenchenglu · Feb 5, 2019 · Feb 4, 2019 · Feb 4, 2019 · Feb 5, 2019
diff --git a/networking/v1alpha3/destination_rule.pb.go b/networking/v1alpha3/destination_rule.pb.go
diff --git a/networking/v1alpha3/destination_rule.proto b/networking/v1alpha3/destination_rule.proto
@@ -577,6 +577,8 @@ message TLSSettings {
   // A list of alternate names to verify the subject identity in the
   // certificate. If specified, the proxy will verify that the server
   // certificate's subject alt name matches one of the specified values.
+  // If specified, this list overrides the value of subject_alt_names
+  // from the ServiceEntry.
   repeated string subject_alt_names = 5;
 
   // SNI string to present to the server during TLS handshake.

diff --git a/networking/v1alpha3/istio.networking.v1alpha3.pb.html b/networking/v1alpha3/istio.networking.v1alpha3.pb.html
diff --git a/networking/v1alpha3/service_entry.pb.go b/networking/v1alpha3/service_entry.pb.go
diff --git a/networking/v1alpha3/service_entry.proto b/networking/v1alpha3/service_entry.proto
@@ -299,6 +299,33 @@ option go_package = "istio.io/api/networking/v1alpha3";
 // specified above. In other words, a call to `http://foo.bar.com/baz` would
 // be translated to `http://uk.foo.bar.com/baz`.
 //
+// The following example illustrates the usage of a ServiceEntry
+// containing a subject alternate name
+// whose format conforms to the SPIFEE standard
+// <https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md>:
+//
+// ```yaml
+// apiVersion: networking.istio.io/v1alpha3
+// kind: ServiceEntry
+// metadata:
+//   name: httpbin
+//   namespace : httpbin-ns
+// spec:
+//   hosts:
+//   - httpbin.com
+//   location: MESH_INTERNAL
+//   ports:
+//   - number: 80
+//     name: http
+//     protocol: HTTP
+//   resolution: STATIC
+//   endpoints:
+//   - address: 2.2.2.2
+//   - address: 3.3.3.3
+//   subjectAltNames:
+//   - "spiffe://cluster.local/ns/httpbin-ns/sa/httpbin-service-account"
+// ```
+//
 message ServiceEntry {
   // REQUIRED. The hosts associated with the ServiceEntry. Could be a DNS
   // name with wildcard prefix (external services only). DNS names in hosts
@@ -461,4 +488,11 @@ message ServiceEntry {
   // the annotation "networking.istio.io/export_to" to a comma-separated list
   // of namespace names.
   repeated string export_to = 7;
+
+  // The list of subject alternate names allowed for workloads that
+  // implement this service. This information is used to enforce
+  // secure-naming <https://istio.io/docs/concepts/security/#secure-naming>.
+  // If specified, the proxy will verify that the server
+  // certificate's subject alternate name matches one of the specified values.
+  repeated string subject_alt_names = 8;
 }
diff --git a/proto.lock b/proto.lock
@@ -3455,6 +3455,12 @@
                 "name": "export_to",
                 "type": "string",
                 "is_repeated": true
+              },
+              {
+                "id": 8,
+                "name": "subject_alt_names",
+                "type": "string",
+                "is_repeated": true
               }
             ],
             "messages": [