Specify SAN validation precedence over Hostname validation (#4039)

Author: kl52752

apis/v1alpha3/backendtlspolicy_types.go

@@ -201,7 +201,11 @@ type BackendTLSPolicyValidation struct {
 	// backends:
 	//
 	// 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066).
-	// 2. Hostname MUST be used for authentication and MUST match the certificate served by the matching backend, unless SubjectAltNames is specified.
+	// 2. Hostname MUST be used for authentication and MUST match the certificate
+	//    served by the matching backend, unless SubjectAltNames is specified.
+	// 3. If SubjectAltNames are specified, Hostname can be used for certificate selection
+	//    but MUST NOT be used for authentication. If you want to use the value
+	//    of the Hostname field for authentication, you MUST add it to the SubjectAltNames list.
 	//
 	// Support: Core
 	//

config/crd/experimental/gateway.networking.k8s.io_backendtlspolicies.yaml

@@ -99,6 +99,10 @@ type BackendTLSPolicyValidation struct {
   // SubjectAltNames contains one or more Subject Alternative Names.
   // When specified, the certificate served from the backend MUST have at least one
   // Subject Alternate Name matching one of the specified SubjectAltNames.
+  // If SubjectAltNames are specified, Hostname MUST NOT be used for authentication,
+  // even if this would cause a failure in the case that the SubjectAltNames do not match.
+  // If you want to use Hostname for authentication, you must add Hostname to the SubjectAltNames list.
+  //
   // +kubebuilder:validation:MaxItems=5
   SubjectAltNames []SubjectAltName `json:"subjectAltNames,omitempty"`
 }