Security/check sa for gw secrets (istio#57716)

* Verify identity for gw secrets

* bootstrap fix

* Debug logs for identity mismatch

* releasenotes

* lint

* lint

* use annotation

* lint

* Fixup tests

* gen

* Check for unmanaged gateways

* make gen

* Use IsManaged

Author: Stevenjin8

pilot/pkg/config/kube/gateway/gateway_collection.go

@@ -25,6 +25,7 @@ import (
 	gateway "sigs.k8s.io/gateway-api/apis/v1beta1"
 	gatewayx "sigs.k8s.io/gateway-api/apisx/v1alpha1"
 
+	"istio.io/api/annotation"
 	istio "istio.io/api/networking/v1alpha3"
 	"istio.io/istio/pilot/pkg/model"
 	"istio.io/istio/pkg/config"
@@ -164,6 +165,11 @@ func ListenerSetCollection(
 				meta[constants.InternalGatewaySemantics] = constants.GatewaySemanticsGateway
 				meta[model.InternalGatewayServiceAnnotation] = strings.Join(gatewayServices, ",")
 				meta[constants.InternalParentNamespace] = parentGwObj.Namespace
+				serviceAccountName := model.GetOrDefault(
+					obj.GetAnnotations()[annotation.GatewayServiceAccount.Name],
+					getDefaultName(obj.GetName(), &parentGwObj.Spec, classInfo.disableNameSuffix),
+				)
+				meta[constants.InternalServiceAccount] = serviceAccountName
 
 				// Each listener generates an Istio Gateway with a single Server. This allows binding to a specific listener.
 				gatewayConfig := config.Config{
@@ -268,6 +274,17 @@ func GatewayCollection(
 			return status, nil
 		}
 
+		// See: https://istio.io/latest/docs/tasks/traffic-management/ingress/gateway-api/#manual-deployment
+		// If we set and address of type hostname, then we have no idea what service accounts the gateway workloads will use.
+		// Thus, we don't enforce service account name restrictions (still look at namespaces though).
+		serviceAccountName := ""
+		if IsManaged(&obj.Spec) {
+			serviceAccountName = model.GetOrDefault(
+				obj.GetAnnotations()[annotation.GatewayServiceAccount.Name],
+				getDefaultName(obj.GetName(), &kgw, classInfo.disableNameSuffix),
+			)
+		}
+
 		for i, l := range kgw.Listeners {
 			server, updatedStatus, programmed := buildListener(ctx, configMaps, secrets, grants, namespaces, obj, status.Listeners, kgw, l, i, controllerName, nil)
 			status.Listeners = updatedStatus
@@ -282,6 +299,8 @@ func GatewayCollection(
 			meta[constants.InternalGatewaySemantics] = constants.GatewaySemanticsGateway
 			meta[model.InternalGatewayServiceAnnotation] = strings.Join(gatewayServices, ",")
 
+			meta[constants.InternalServiceAccount] = serviceAccountName
+
 			// Each listener generates an Istio Gateway with a single Server. This allows binding to a specific listener.
 			gatewayConfig := config.Config{
 				Meta: config.Meta{

pilot/pkg/config/kube/gateway/testdata/backend-tls-policy.yaml.golden

@@ -5,6 +5,7 @@ metadata:
     internal.istio.io/gateway-semantics: gateway
     internal.istio.io/gateway-service: istio-ingressgateway.istio-system.svc.domain.suffix
     internal.istio.io/parents: Gateway/gateway/default.istio-system
+    internal.istio.io/service-account-name: ""
   name: gateway~istio-autogenerated-k8s-gateway~default
   namespace: istio-system
 spec:

pilot/pkg/config/kube/gateway/testdata/delegated.yaml.golden

@@ -5,6 +5,7 @@ metadata:
     internal.istio.io/gateway-semantics: gateway
     internal.istio.io/gateway-service: istio-ingressgateway.istio-system.svc.domain.suffix
     internal.istio.io/parents: Gateway/gateway/apple.istio-system
+    internal.istio.io/service-account-name: ""
   name: gateway~istio-autogenerated-k8s-gateway~apple
   namespace: istio-system
 spec:
@@ -23,6 +24,7 @@ metadata:
     internal.istio.io/gateway-semantics: gateway
     internal.istio.io/gateway-service: istio-ingressgateway.istio-system.svc.domain.suffix
     internal.istio.io/parents: Gateway/gateway/banana.istio-system
+    internal.istio.io/service-account-name: ""
   name: gateway~istio-autogenerated-k8s-gateway~banana
   namespace: istio-system
 spec:

pilot/pkg/config/kube/gateway/testdata/eastwest-labelport.yaml.golden

@@ -5,6 +5,7 @@ metadata:
     internal.istio.io/gateway-semantics: gateway
     internal.istio.io/gateway-service: eastwestgateway-istio.istio-system.svc.domain.suffix
     internal.istio.io/parents: Gateway/eastwestgateway/cross-network.istio-system
+    internal.istio.io/service-account-name: eastwestgateway-istio
   name: eastwestgateway~istio-autogenerated-k8s-gateway~cross-network
   namespace: istio-system
 spec:
@@ -25,6 +26,7 @@ metadata:
     internal.istio.io/gateway-semantics: gateway
     internal.istio.io/gateway-service: eastwestgateway-istio.istio-system.svc.domain.suffix
     internal.istio.io/parents: Gateway/eastwestgateway/istiod-grpc.istio-system
+    internal.istio.io/service-account-name: eastwestgateway-istio
   name: eastwestgateway~istio-autogenerated-k8s-gateway~istiod-grpc
   namespace: istio-system
 spec:
@@ -44,6 +46,7 @@ metadata:
     internal.istio.io/gateway-semantics: gateway
     internal.istio.io/gateway-service: eastwestgateway-istio.istio-system.svc.domain.suffix
     internal.istio.io/parents: Gateway/eastwestgateway/istiod-webhook.istio-system
+    internal.istio.io/service-account-name: eastwestgateway-istio
   name: eastwestgateway~istio-autogenerated-k8s-gateway~istiod-webhook
   namespace: istio-system
 spec:

pilot/pkg/config/kube/gateway/testdata/eastwest-tlsoption.yaml.golden

@@ -5,6 +5,7 @@ metadata:
     internal.istio.io/gateway-semantics: gateway
     internal.istio.io/gateway-service: eastwestgateway-istio.istio-system.svc.domain.suffix
     internal.istio.io/parents: Gateway/eastwestgateway/cross-network.istio-system
+    internal.istio.io/service-account-name: eastwestgateway-istio
   name: eastwestgateway~istio-autogenerated-k8s-gateway~cross-network
   namespace: istio-system
 spec:
@@ -25,6 +26,7 @@ metadata:
     internal.istio.io/gateway-semantics: gateway
     internal.istio.io/gateway-service: eastwestgateway-istio.istio-system.svc.domain.suffix
     internal.istio.io/parents: Gateway/eastwestgateway/istiod-grpc.istio-system
+    internal.istio.io/service-account-name: eastwestgateway-istio
   name: eastwestgateway~istio-autogenerated-k8s-gateway~istiod-grpc
   namespace: istio-system
 spec:
@@ -44,6 +46,7 @@ metadata:
     internal.istio.io/gateway-semantics: gateway
     internal.istio.io/gateway-service: eastwestgateway-istio.istio-system.svc.domain.suffix
     internal.istio.io/parents: Gateway/eastwestgateway/istiod-webhook.istio-system
+    internal.istio.io/service-account-name: eastwestgateway-istio
   name: eastwestgateway~istio-autogenerated-k8s-gateway~istiod-webhook
   namespace: istio-system
 spec:

pilot/pkg/config/kube/gateway/testdata/eastwest.yaml.golden

@@ -5,6 +5,7 @@ metadata:
     internal.istio.io/gateway-semantics: gateway
     internal.istio.io/gateway-service: eastwestgateway-istio.istio-system.svc.domain.suffix
     internal.istio.io/parents: Gateway/eastwestgateway/cross-network.istio-system
+    internal.istio.io/service-account-name: eastwestgateway-istio
   name: eastwestgateway~istio-autogenerated-k8s-gateway~cross-network
   namespace: istio-system
 spec:
@@ -25,6 +26,7 @@ metadata:
     internal.istio.io/gateway-semantics: gateway
     internal.istio.io/gateway-service: eastwestgateway-istio.istio-system.svc.domain.suffix
     internal.istio.io/parents: Gateway/eastwestgateway/istiod-grpc.istio-system
+    internal.istio.io/service-account-name: eastwestgateway-istio
   name: eastwestgateway~istio-autogenerated-k8s-gateway~istiod-grpc
   namespace: istio-system
 spec:
@@ -44,6 +46,7 @@ metadata:
     internal.istio.io/gateway-semantics: gateway
     internal.istio.io/gateway-service: eastwestgateway-istio.istio-system.svc.domain.suffix
     internal.istio.io/parents: Gateway/eastwestgateway/istiod-webhook.istio-system
+    internal.istio.io/service-account-name: eastwestgateway-istio
   name: eastwestgateway~istio-autogenerated-k8s-gateway~istiod-webhook
   namespace: istio-system
 spec:

pilot/pkg/config/kube/gateway/testdata/grpc.yaml.golden

@@ -5,6 +5,7 @@ metadata:
     internal.istio.io/gateway-semantics: gateway
     internal.istio.io/gateway-service: istio-ingressgateway.istio-system.svc.domain.suffix
     internal.istio.io/parents: Gateway/gateway/default.istio-system
+    internal.istio.io/service-account-name: ""
   name: gateway~istio-autogenerated-k8s-gateway~default
   namespace: istio-system
 spec:

pilot/pkg/config/kube/gateway/testdata/http.yaml.golden

@@ -5,6 +5,7 @@ metadata:
     internal.istio.io/gateway-semantics: gateway
     internal.istio.io/gateway-service: istio-ingressgateway.istio-system.svc.domain.suffix
     internal.istio.io/parents: Gateway/gateway/default.istio-system
+    internal.istio.io/service-account-name: ""
   name: gateway~istio-autogenerated-k8s-gateway~default
   namespace: istio-system
 spec:

pilot/pkg/config/kube/gateway/testdata/invalid.yaml.golden

@@ -5,6 +5,7 @@ metadata:
     internal.istio.io/gateway-semantics: gateway
     internal.istio.io/gateway-service: istio-ingressgateway.istio-system.svc.domain.suffix
     internal.istio.io/parents: Gateway/gateway/default.istio-system
+    internal.istio.io/service-account-name: ""
   name: gateway~istio-autogenerated-k8s-gateway~default
   namespace: istio-system
 spec:
@@ -23,6 +24,7 @@ metadata:
     internal.istio.io/gateway-semantics: gateway
     internal.istio.io/gateway-service: fake-service.com
     internal.istio.io/parents: Gateway/invalid-service/default.istio-system
+    internal.istio.io/service-account-name: ""
   name: invalid-service~istio-autogenerated-k8s-gateway~default
   namespace: istio-system
 spec:
@@ -41,6 +43,7 @@ metadata:
     internal.istio.io/gateway-semantics: gateway
     internal.istio.io/gateway-service: istio-ingressgateway.istio-system.svc.domain.suffix
     internal.istio.io/parents: Gateway/target-port-reference/default.istio-system
+    internal.istio.io/service-account-name: ""
   name: target-port-reference~istio-autogenerated-k8s-gateway~default
   namespace: istio-system
 spec:

pilot/pkg/config/kube/gateway/testdata/isolation.yaml.golden

@@ -5,6 +5,7 @@ metadata:
     internal.istio.io/gateway-semantics: gateway
     internal.istio.io/gateway-service: isolation-istio.gateway-conformance-infra.svc.domain.suffix
     internal.istio.io/parents: Gateway/isolation/abc-foo-example-com.gateway-conformance-infra
+    internal.istio.io/service-account-name: isolation-istio
   name: isolation~istio-autogenerated-k8s-gateway~abc-foo-example-com
   namespace: gateway-conformance-infra
 spec:
@@ -23,6 +24,7 @@ metadata:
     internal.istio.io/gateway-semantics: gateway
     internal.istio.io/gateway-service: isolation-istio.gateway-conformance-infra.svc.domain.suffix
     internal.istio.io/parents: Gateway/isolation/empty-hostname.gateway-conformance-infra
+    internal.istio.io/service-account-name: isolation-istio
   name: isolation~istio-autogenerated-k8s-gateway~empty-hostname
   namespace: gateway-conformance-infra
 spec:
@@ -41,6 +43,7 @@ metadata:
     internal.istio.io/gateway-semantics: gateway
     internal.istio.io/gateway-service: isolation-istio.gateway-conformance-infra.svc.domain.suffix
     internal.istio.io/parents: Gateway/isolation/wildcard-example-com.gateway-conformance-infra
+    internal.istio.io/service-account-name: isolation-istio
   name: isolation~istio-autogenerated-k8s-gateway~wildcard-example-com
   namespace: gateway-conformance-infra
 spec:
@@ -59,6 +62,7 @@ metadata:
     internal.istio.io/gateway-semantics: gateway
     internal.istio.io/gateway-service: isolation-istio.gateway-conformance-infra.svc.domain.suffix
     internal.istio.io/parents: Gateway/isolation/wildcard-foo-example-com.gateway-conformance-infra
+    internal.istio.io/service-account-name: isolation-istio
   name: isolation~istio-autogenerated-k8s-gateway~wildcard-foo-example-com
   namespace: gateway-conformance-infra
 spec: