bleggett/spire-extended-destrule.txt

## spire-extended-destrule.txt
# TODO destination rules need to be created for any SPIFFE IDs that don't follow the
# format that Istio expects (ns/NAMESPACE/sa/TARGET_POD_SVC_ACCOUNT)
# because ATM Istio defaults to clientside SAN checks that assume that SPIFFE ID format
# and this is not currently configurable.
#
# https://github.com/istio/istio/issues/43105
#
# Additionally, since DestinationRules override Istio's "default automTLS" settings, we need `mode: ISTIO_MUTUAL`
# in each DestRule to tell Istio that even though we have a custom destination config, we still want mTLS.
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: {{ .serviceName }}-custom-spire-destrule
spec:
  host: {{ .serviceName }}
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL
      subjectAltNames:
      - spiffe://example.org/ns/{{ .Namespace }}/sa/{{ .serviceName }}/wl/foo
	# TODO destination rules need to be created for any SPIFFE IDs that don't follow the
	# format that Istio expects (ns/NAMESPACE/sa/TARGET_POD_SVC_ACCOUNT)
	# because ATM Istio defaults to clientside SAN checks that assume that SPIFFE ID format
	# and this is not currently configurable.
	#
	# https://github.com/istio/istio/issues/43105
	#
	# Additionally, since DestinationRules override Istio's "default automTLS" settings, we need `mode: ISTIO_MUTUAL`
	# in each DestRule to tell Istio that even though we have a custom destination config, we still want mTLS.
	---
	apiVersion: networking.istio.io/v1beta1
	kind: DestinationRule
	metadata:
	name: {{ .serviceName }}-custom-spire-destrule
	spec:
	host: {{ .serviceName }}
	trafficPolicy:
	tls:
	mode: ISTIO_MUTUAL
	subjectAltNames:
	- spiffe://example.org/ns/{{ .Namespace }}/sa/{{ .serviceName }}/wl/foo