From 2462a021803918c51226523f03bf87a55e2034f9 Mon Sep 17 00:00:00 2001
From: Leonardo Sarra <leonardo.sarra@est.tech>
Date: Tue, 12 Mar 2024 14:56:56 +0100
Subject: [PATCH 1/3] Remove mentions of VERIFY_CERTIFICATE_AT_CLIENT and
 ENABLE_AUTO_SNI

---
 networking/v1alpha3/destination_rule.pb.go   | 17 +++--------------
 networking/v1alpha3/destination_rule.pb.html | 16 +++-------------
 networking/v1alpha3/destination_rule.proto   | 17 +++--------------
 networking/v1beta1/destination_rule.pb.go    | 17 +++--------------
 networking/v1beta1/destination_rule.proto    | 17 +++--------------
 5 files changed, 15 insertions(+), 69 deletions(-)

diff --git a/networking/v1alpha3/destination_rule.pb.go b/networking/v1alpha3/destination_rule.pb.go
index 9b89b4e2e3b..26890345d3d 100644
--- a/networking/v1alpha3/destination_rule.pb.go
+++ b/networking/v1alpha3/destination_rule.pb.go
@@ -1317,26 +1317,15 @@ type ClientTLSSettings struct {
 	// If specified, this list overrides the value of subject_alt_names
 	// from the ServiceEntry. If unspecified, automatic validation of upstream
 	// presented certificate for new upstream connections will be done based on the
-	// downstream HTTP host/authority header, provided `VERIFY_CERTIFICATE_AT_CLIENT`
-	// and `ENABLE_AUTO_SNI` environmental variables are set to `true`.
+	// downstream HTTP host/authority header.
 	SubjectAltNames []string `protobuf:"bytes,5,rep,name=subject_alt_names,json=subjectAltNames,proto3" json:"subject_alt_names,omitempty"`
 	// SNI string to present to the server during TLS handshake.
 	// If unspecified, SNI will be automatically set based on downstream HTTP
-	// host/authority header for SIMPLE and MUTUAL TLS modes, provided `ENABLE_AUTO_SNI`
-	// environmental variable is set to `true`.
+	// host/authority header for SIMPLE and MUTUAL TLS modes.
 	Sni string `protobuf:"bytes,6,opt,name=sni,proto3" json:"sni,omitempty"`
 	// `insecureSkipVerify` specifies whether the proxy should skip verifying the
 	// CA signature and SAN for the server certificate corresponding to the host.
-	// This flag should only be set if global CA signature verification is
-	// enabled, `VERIFY_CERTIFICATE_AT_CLIENT` environmental variable is set to `true`,
-	// but no verification is desired for a specific host. If enabled with or
-	// without `VERIFY_CERTIFICATE_AT_CLIENT` enabled, verification of the CA signature and
-	// SAN will be skipped.
-	//
-	// `insecureSkipVerify` is `false` by default.
-	// `VERIFY_CERTIFICATE_AT_CLIENT` is `false` by default in Istio version 1.9 but will
-	// be `true` by default in a later version where, going forward, it will be
-	// enabled by default.
+	// The default value of this field is false.
 	InsecureSkipVerify *wrappers.BoolValue `protobuf:"bytes,8,opt,name=insecure_skip_verify,json=insecureSkipVerify,proto3" json:"insecure_skip_verify,omitempty"`
 	// OPTIONAL: The path to the file containing the certificate revocation list (CRL)
 	// to use in verifying a presented server certificate. `CRL` is a list of certificates
diff --git a/networking/v1alpha3/destination_rule.pb.html b/networking/v1alpha3/destination_rule.pb.html
index 1105a0000c5..a75f0d0fdfd 100644
--- a/networking/v1alpha3/destination_rule.pb.html
+++ b/networking/v1alpha3/destination_rule.pb.html
@@ -864,8 +864,7 @@ <h2 id="ClientTLSSettings">ClientTLSSettings</h2>
 If specified, this list overrides the value of subject_alt_names
 from the ServiceEntry. If unspecified, automatic validation of upstream
 presented certificate for new upstream connections will be done based on the
-downstream HTTP host/authority header, provided <code>VERIFY_CERTIFICATE_AT_CLIENT</code>
-and <code>ENABLE_AUTO_SNI</code> environmental variables are set to <code>true</code>.</p>
+downstream HTTP host/authority header.</p>
 
 </td>
 <td>
@@ -878,8 +877,7 @@ <h2 id="ClientTLSSettings">ClientTLSSettings</h2>
 <td>
 <p>SNI string to present to the server during TLS handshake.
 If unspecified, SNI will be automatically set based on downstream HTTP
-host/authority header for SIMPLE and MUTUAL TLS modes, provided <code>ENABLE_AUTO_SNI</code>
-environmental variable is set to <code>true</code>.</p>
+host/authority header for SIMPLE and MUTUAL TLS modes.</p>
 
 </td>
 <td>
@@ -892,15 +890,7 @@ <h2 id="ClientTLSSettings">ClientTLSSettings</h2>
 <td>
 <p><code>insecureSkipVerify</code> specifies whether the proxy should skip verifying the
 CA signature and SAN for the server certificate corresponding to the host.
-This flag should only be set if global CA signature verification is
-enabled, <code>VERIFY_CERTIFICATE_AT_CLIENT</code> environmental variable is set to <code>true</code>,
-but no verification is desired for a specific host. If enabled with or
-without <code>VERIFY_CERTIFICATE_AT_CLIENT</code> enabled, verification of the CA signature and
-SAN will be skipped.</p>
-<p><code>insecureSkipVerify</code> is <code>false</code> by default.
-<code>VERIFY_CERTIFICATE_AT_CLIENT</code> is <code>false</code> by default in Istio version 1.9 but will
-be <code>true</code> by default in a later version where, going forward, it will be
-enabled by default.</p>
+The default value of this field is false.</p>
 
 </td>
 <td>
diff --git a/networking/v1alpha3/destination_rule.proto b/networking/v1alpha3/destination_rule.proto
index ad51b0150e1..de8f76ff169 100644
--- a/networking/v1alpha3/destination_rule.proto
+++ b/networking/v1alpha3/destination_rule.proto
@@ -884,28 +884,17 @@ message ClientTLSSettings {
   // If specified, this list overrides the value of subject_alt_names
   // from the ServiceEntry. If unspecified, automatic validation of upstream
   // presented certificate for new upstream connections will be done based on the
-  // downstream HTTP host/authority header, provided `VERIFY_CERTIFICATE_AT_CLIENT`
-  // and `ENABLE_AUTO_SNI` environmental variables are set to `true`.
+  // downstream HTTP host/authority header.
   repeated string subject_alt_names = 5;
 
   // SNI string to present to the server during TLS handshake.
   // If unspecified, SNI will be automatically set based on downstream HTTP
-  // host/authority header for SIMPLE and MUTUAL TLS modes, provided `ENABLE_AUTO_SNI`
-  // environmental variable is set to `true`.
+  // host/authority header for SIMPLE and MUTUAL TLS modes.
   string sni = 6;
 
   // `insecureSkipVerify` specifies whether the proxy should skip verifying the
   // CA signature and SAN for the server certificate corresponding to the host.
-  // This flag should only be set if global CA signature verification is
-  // enabled, `VERIFY_CERTIFICATE_AT_CLIENT` environmental variable is set to `true`,
-  // but no verification is desired for a specific host. If enabled with or
-  // without `VERIFY_CERTIFICATE_AT_CLIENT` enabled, verification of the CA signature and
-  // SAN will be skipped.
-  //
-  // `insecureSkipVerify` is `false` by default.
-  // `VERIFY_CERTIFICATE_AT_CLIENT` is `false` by default in Istio version 1.9 but will
-  // be `true` by default in a later version where, going forward, it will be
-  // enabled by default.
+  // The default value of this field is false.
   google.protobuf.BoolValue insecure_skip_verify = 8;
 
   // OPTIONAL: The path to the file containing the certificate revocation list (CRL)
diff --git a/networking/v1beta1/destination_rule.pb.go b/networking/v1beta1/destination_rule.pb.go
index cad2f3855e7..6bb060d2600 100644
--- a/networking/v1beta1/destination_rule.pb.go
+++ b/networking/v1beta1/destination_rule.pb.go
@@ -1294,26 +1294,15 @@ type ClientTLSSettings struct {
 	// If specified, this list overrides the value of subject_alt_names
 	// from the ServiceEntry. If unspecified, automatic validation of upstream
 	// presented certificate for new upstream connections will be done based on the
-	// downstream HTTP host/authority header, provided `VERIFY_CERTIFICATE_AT_CLIENT`
-	// and `ENABLE_AUTO_SNI` environmental variables are set to `true`.
+	// downstream HTTP host/authority header.
 	SubjectAltNames []string `protobuf:"bytes,5,rep,name=subject_alt_names,json=subjectAltNames,proto3" json:"subject_alt_names,omitempty"`
 	// SNI string to present to the server during TLS handshake.
 	// If unspecified, SNI will be automatically set based on downstream HTTP
-	// host/authority header for SIMPLE and MUTUAL TLS modes, provided `ENABLE_AUTO_SNI`
-	// environmental variable is set to `true`.
+	// host/authority header for SIMPLE and MUTUAL TLS modes.
 	Sni string `protobuf:"bytes,6,opt,name=sni,proto3" json:"sni,omitempty"`
 	// `insecureSkipVerify` specifies whether the proxy should skip verifying the
 	// CA signature and SAN for the server certificate corresponding to the host.
-	// This flag should only be set if global CA signature verification is
-	// enabled, `VERIFY_CERTIFICATE_AT_CLIENT` environmental variable is set to `true`,
-	// but no verification is desired for a specific host. If enabled with or
-	// without `VERIFY_CERTIFICATE_AT_CLIENT` enabled, verification of the CA signature and
-	// SAN will be skipped.
-	//
-	// `insecureSkipVerify` is `false` by default.
-	// `VERIFY_CERTIFICATE_AT_CLIENT` is `false` by default in Istio version 1.9 but will
-	// be `true` by default in a later version where, going forward, it will be
-	// enabled by default.
+	// The default value of this field is false.
 	InsecureSkipVerify *wrappers.BoolValue `protobuf:"bytes,8,opt,name=insecure_skip_verify,json=insecureSkipVerify,proto3" json:"insecure_skip_verify,omitempty"`
 	// OPTIONAL: The path to the file containing the certificate revocation list (CRL)
 	// to use in verifying a presented server certificate. `CRL` is a list of certificates
diff --git a/networking/v1beta1/destination_rule.proto b/networking/v1beta1/destination_rule.proto
index 0274d8859ac..1872a9e92a4 100644
--- a/networking/v1beta1/destination_rule.proto
+++ b/networking/v1beta1/destination_rule.proto
@@ -861,28 +861,17 @@ message ClientTLSSettings {
   // If specified, this list overrides the value of subject_alt_names
   // from the ServiceEntry. If unspecified, automatic validation of upstream
   // presented certificate for new upstream connections will be done based on the
-  // downstream HTTP host/authority header, provided `VERIFY_CERTIFICATE_AT_CLIENT`
-  // and `ENABLE_AUTO_SNI` environmental variables are set to `true`.
+  // downstream HTTP host/authority header.
   repeated string subject_alt_names = 5;
 
   // SNI string to present to the server during TLS handshake.
   // If unspecified, SNI will be automatically set based on downstream HTTP
-  // host/authority header for SIMPLE and MUTUAL TLS modes, provided `ENABLE_AUTO_SNI`
-  // environmental variable is set to `true`.
+  // host/authority header for SIMPLE and MUTUAL TLS modes.
   string sni = 6;
 
   // `insecureSkipVerify` specifies whether the proxy should skip verifying the
   // CA signature and SAN for the server certificate corresponding to the host.
-  // This flag should only be set if global CA signature verification is
-  // enabled, `VERIFY_CERTIFICATE_AT_CLIENT` environmental variable is set to `true`,
-  // but no verification is desired for a specific host. If enabled with or
-  // without `VERIFY_CERTIFICATE_AT_CLIENT` enabled, verification of the CA signature and
-  // SAN will be skipped.
-  //
-  // `insecureSkipVerify` is `false` by default.
-  // `VERIFY_CERTIFICATE_AT_CLIENT` is `false` by default in Istio version 1.9 but will
-  // be `true` by default in a later version where, going forward, it will be
-  // enabled by default.
+  // The default value of this field is false.
   google.protobuf.BoolValue insecure_skip_verify = 8;
 
   // OPTIONAL: The path to the file containing the certificate revocation list (CRL)

From 122265e53a43f10689a4ef794926d0367327d666 Mon Sep 17 00:00:00 2001
From: Leonardo Sarra <leonardo.sarra@est.tech>
Date: Fri, 15 Mar 2024 14:20:11 +0100
Subject: [PATCH 2/3] adjust ca_certificates comment

---
 networking/v1alpha3/destination_rule.pb.go   | 3 ++-
 networking/v1alpha3/destination_rule.pb.html | 3 ++-
 networking/v1alpha3/destination_rule.proto   | 3 ++-
 networking/v1beta1/destination_rule.pb.go    | 3 ++-
 networking/v1beta1/destination_rule.proto    | 3 ++-
 5 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/networking/v1alpha3/destination_rule.pb.go b/networking/v1alpha3/destination_rule.pb.go
index 26890345d3d..48ff4a6890c 100644
--- a/networking/v1alpha3/destination_rule.pb.go
+++ b/networking/v1alpha3/destination_rule.pb.go
@@ -1288,7 +1288,8 @@ type ClientTLSSettings struct {
 	PrivateKey string `protobuf:"bytes,3,opt,name=private_key,json=privateKey,proto3" json:"private_key,omitempty"`
 	// OPTIONAL: The path to the file containing certificate authority
 	// certificates to use in verifying a presented server certificate. If
-	// omitted, the proxy will not verify the server's certificate.
+	// omitted, the proxy will verify the server's certificate using
+	// the OS CA certificates.
 	// Should be empty if mode is `ISTIO_MUTUAL`.
 	CaCertificates string `protobuf:"bytes,4,opt,name=ca_certificates,json=caCertificates,proto3" json:"ca_certificates,omitempty"`
 	// The name of the secret that holds the TLS certs for the
diff --git a/networking/v1alpha3/destination_rule.pb.html b/networking/v1alpha3/destination_rule.pb.html
index a75f0d0fdfd..3e34e2b7cd6 100644
--- a/networking/v1alpha3/destination_rule.pb.html
+++ b/networking/v1alpha3/destination_rule.pb.html
@@ -818,7 +818,8 @@ <h2 id="ClientTLSSettings">ClientTLSSettings</h2>
 <td>
 <p>OPTIONAL: The path to the file containing certificate authority
 certificates to use in verifying a presented server certificate. If
-omitted, the proxy will not verify the server&rsquo;s certificate.
+omitted, the proxy will verify the server&rsquo;s certificate using
+the OS CA certificates.
 Should be empty if mode is <code>ISTIO_MUTUAL</code>.</p>
 
 </td>
diff --git a/networking/v1alpha3/destination_rule.proto b/networking/v1alpha3/destination_rule.proto
index de8f76ff169..55149ae3a44 100644
--- a/networking/v1alpha3/destination_rule.proto
+++ b/networking/v1alpha3/destination_rule.proto
@@ -853,7 +853,8 @@ message ClientTLSSettings {
 
   // OPTIONAL: The path to the file containing certificate authority
   // certificates to use in verifying a presented server certificate. If
-  // omitted, the proxy will not verify the server's certificate.
+  // omitted, the proxy will verify the server's certificate using
+  // the OS CA certificates.
   // Should be empty if mode is `ISTIO_MUTUAL`.
   string ca_certificates = 4;
 
diff --git a/networking/v1beta1/destination_rule.pb.go b/networking/v1beta1/destination_rule.pb.go
index 6bb060d2600..20af2733760 100644
--- a/networking/v1beta1/destination_rule.pb.go
+++ b/networking/v1beta1/destination_rule.pb.go
@@ -1265,7 +1265,8 @@ type ClientTLSSettings struct {
 	PrivateKey string `protobuf:"bytes,3,opt,name=private_key,json=privateKey,proto3" json:"private_key,omitempty"`
 	// OPTIONAL: The path to the file containing certificate authority
 	// certificates to use in verifying a presented server certificate. If
-	// omitted, the proxy will not verify the server's certificate.
+	// omitted, the proxy will verify the server's certificate using
+	// the OS CA certificates.
 	// Should be empty if mode is `ISTIO_MUTUAL`.
 	CaCertificates string `protobuf:"bytes,4,opt,name=ca_certificates,json=caCertificates,proto3" json:"ca_certificates,omitempty"`
 	// The name of the secret that holds the TLS certs for the
diff --git a/networking/v1beta1/destination_rule.proto b/networking/v1beta1/destination_rule.proto
index 1872a9e92a4..6af998274ab 100644
--- a/networking/v1beta1/destination_rule.proto
+++ b/networking/v1beta1/destination_rule.proto
@@ -830,7 +830,8 @@ message ClientTLSSettings {
 
   // OPTIONAL: The path to the file containing certificate authority
   // certificates to use in verifying a presented server certificate. If
-  // omitted, the proxy will not verify the server's certificate.
+  // omitted, the proxy will verify the server's certificate using
+  // the OS CA certificates.
   // Should be empty if mode is `ISTIO_MUTUAL`.
   string ca_certificates = 4;
 

From 90185e4a6f42b0baf64d4c3f6513f280921ec61f Mon Sep 17 00:00:00 2001
From: Leonardo Sarra <leonardo.sarra@est.tech>
Date: Sat, 16 Mar 2024 13:45:49 +0100
Subject: [PATCH 3/3] sync gen files

---
 networking/v1/destination_rule.pb.go | 20 +++++---------------
 networking/v1/destination_rule.proto | 20 +++++---------------
 2 files changed, 10 insertions(+), 30 deletions(-)

diff --git a/networking/v1/destination_rule.pb.go b/networking/v1/destination_rule.pb.go
index 9ead81a5b4d..8aa89bb168b 100644
--- a/networking/v1/destination_rule.pb.go
+++ b/networking/v1/destination_rule.pb.go
@@ -1264,7 +1264,8 @@ type ClientTLSSettings struct {
 	PrivateKey string `protobuf:"bytes,3,opt,name=private_key,json=privateKey,proto3" json:"private_key,omitempty"`
 	// OPTIONAL: The path to the file containing certificate authority
 	// certificates to use in verifying a presented server certificate. If
-	// omitted, the proxy will not verify the server's certificate.
+	// omitted, the proxy will verify the server's certificate using
+	// the OS CA certificates.
 	// Should be empty if mode is `ISTIO_MUTUAL`.
 	CaCertificates string `protobuf:"bytes,4,opt,name=ca_certificates,json=caCertificates,proto3" json:"ca_certificates,omitempty"`
 	// The name of the secret that holds the TLS certs for the
@@ -1293,26 +1294,15 @@ type ClientTLSSettings struct {
 	// If specified, this list overrides the value of subject_alt_names
 	// from the ServiceEntry. If unspecified, automatic validation of upstream
 	// presented certificate for new upstream connections will be done based on the
-	// downstream HTTP host/authority header, provided `VERIFY_CERTIFICATE_AT_CLIENT`
-	// and `ENABLE_AUTO_SNI` environmental variables are set to `true`.
+	// downstream HTTP host/authority header.
 	SubjectAltNames []string `protobuf:"bytes,5,rep,name=subject_alt_names,json=subjectAltNames,proto3" json:"subject_alt_names,omitempty"`
 	// SNI string to present to the server during TLS handshake.
 	// If unspecified, SNI will be automatically set based on downstream HTTP
-	// host/authority header for SIMPLE and MUTUAL TLS modes, provided `ENABLE_AUTO_SNI`
-	// environmental variable is set to `true`.
+	// host/authority header for SIMPLE and MUTUAL TLS modes.
 	Sni string `protobuf:"bytes,6,opt,name=sni,proto3" json:"sni,omitempty"`
 	// `insecureSkipVerify` specifies whether the proxy should skip verifying the
 	// CA signature and SAN for the server certificate corresponding to the host.
-	// This flag should only be set if global CA signature verification is
-	// enabled, `VERIFY_CERTIFICATE_AT_CLIENT` environmental variable is set to `true`,
-	// but no verification is desired for a specific host. If enabled with or
-	// without `VERIFY_CERTIFICATE_AT_CLIENT` enabled, verification of the CA signature and
-	// SAN will be skipped.
-	//
-	// `insecureSkipVerify` is `false` by default.
-	// `VERIFY_CERTIFICATE_AT_CLIENT` is `false` by default in Istio version 1.9 but will
-	// be `true` by default in a later version where, going forward, it will be
-	// enabled by default.
+	// The default value of this field is false.
 	InsecureSkipVerify *wrappers.BoolValue `protobuf:"bytes,8,opt,name=insecure_skip_verify,json=insecureSkipVerify,proto3" json:"insecure_skip_verify,omitempty"`
 	// OPTIONAL: The path to the file containing the certificate revocation list (CRL)
 	// to use in verifying a presented server certificate. `CRL` is a list of certificates
diff --git a/networking/v1/destination_rule.proto b/networking/v1/destination_rule.proto
index ad346907758..6c92b40296f 100644
--- a/networking/v1/destination_rule.proto
+++ b/networking/v1/destination_rule.proto
@@ -829,7 +829,8 @@ message ClientTLSSettings {
 
   // OPTIONAL: The path to the file containing certificate authority
   // certificates to use in verifying a presented server certificate. If
-  // omitted, the proxy will not verify the server's certificate.
+  // omitted, the proxy will verify the server's certificate using
+  // the OS CA certificates.
   // Should be empty if mode is `ISTIO_MUTUAL`.
   string ca_certificates = 4;
 
@@ -860,28 +861,17 @@ message ClientTLSSettings {
   // If specified, this list overrides the value of subject_alt_names
   // from the ServiceEntry. If unspecified, automatic validation of upstream
   // presented certificate for new upstream connections will be done based on the
-  // downstream HTTP host/authority header, provided `VERIFY_CERTIFICATE_AT_CLIENT`
-  // and `ENABLE_AUTO_SNI` environmental variables are set to `true`.
+  // downstream HTTP host/authority header.
   repeated string subject_alt_names = 5;
 
   // SNI string to present to the server during TLS handshake.
   // If unspecified, SNI will be automatically set based on downstream HTTP
-  // host/authority header for SIMPLE and MUTUAL TLS modes, provided `ENABLE_AUTO_SNI`
-  // environmental variable is set to `true`.
+  // host/authority header for SIMPLE and MUTUAL TLS modes.
   string sni = 6;
 
   // `insecureSkipVerify` specifies whether the proxy should skip verifying the
   // CA signature and SAN for the server certificate corresponding to the host.
-  // This flag should only be set if global CA signature verification is
-  // enabled, `VERIFY_CERTIFICATE_AT_CLIENT` environmental variable is set to `true`,
-  // but no verification is desired for a specific host. If enabled with or
-  // without `VERIFY_CERTIFICATE_AT_CLIENT` enabled, verification of the CA signature and
-  // SAN will be skipped.
-  //
-  // `insecureSkipVerify` is `false` by default.
-  // `VERIFY_CERTIFICATE_AT_CLIENT` is `false` by default in Istio version 1.9 but will
-  // be `true` by default in a later version where, going forward, it will be
-  // enabled by default.
+  // The default value of this field is false.
   google.protobuf.BoolValue insecure_skip_verify = 8;
 
   // OPTIONAL: The path to the file containing the certificate revocation list (CRL)