Support system-internal-tls in net-istio

[ReToCode]

Larger description in the Feature Track document
Parent-issue: knative/serving#11906

Summary
net-istio should support calling activator / backends with a known CA key and subject name.

/kind feature-request

[nak3]

If all net-* plugins are going to support the TLS encryption for the path Ingress -> backend, would it be better to add:

• conformance test in networking repo
• and KIngress contract which means adding API for KIngress ?

[nak3]

(This may be off topic but) for the Kingress API addition, if we add the "SanName" field it would also help to solve knative/serving#12797 by using the SAN for each ingress like:

(based on Feature Track document)

type InternalTLS struct {
        // SecretName is the name of the secret used to SSL traffic against upstream(backend).
        // The secret should store the CA (root) cert to use SSL traffic.
        SecretName string `json:"secretName,omitempty"`
       
	// SanName is the name of SAN which s verified if at least one of SAN is matched.
        // The field is array to store two SANs such as activator and queue-proxy.
        SanName []string `json:"secretName,omitempty"`
}

(I know we should use SNI but I think SNI solution is not possible...)

[github-actions]

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Reopen the issue with /reopen. Mark the issue as
fresh by adding the comment /remove-lifecycle stale.

[ReToCode]

/remove-lifecycle stale