api: Backend TLS SNI

[guydc]

What type of PR is this?

What this PR does / why we need it:
Currently, BackendTLSPolicy requires SNI and SAN validations to be configured explicitly using static values. In some cases, users may need to use the (dynamic) downstream host header value as upstream SNI and validate upstream certificate SANs accordingly.

Additionally, some users today avoid using BTLSP and only use Backend TLS settings, since it offers more flexibility wrt. skipping TLS validation, etc. At this time, there is no option to specify the SNI value in Backend TLS, which might be needed for some of these users.

To support these use cases, while still adhering to GW-API definitions, the Backend TLS settings are now extended with an explicit SNI attribute, with the following rules:

• If set, will be used for upstream SNI and upstream SAN DNS validation, similar to BTLSP Hostname.
• If unset/set and BTLSP attaches to the backend, the BTLSP Hostname takes precedence over Backend TLS SNI.
• Auto SNI (using downstream host header as SNI value) would be enabled for a cluster generated from BackendRefs iff all backends in BackendRefs do not have explicit SNI (from Backend TLS or BTLSP).
• Auto SNI SAN validation is enabled for a cluster which:
  • Enables auto SNI
  • Does not have explicit SAN validations (e.g. from BTLSP/Backend SNI to SubjectAltName validations)
  • Is not a dynamic resolver (which has a different auto validation strategy currently)

Summary of BTLSP/Backend combinations below:

BTLSP Hostname	BTLSP SubjectAltNames	Backend SNI	Tranport Socket SNI	Transport Socket Validation Context	Cluster Auto SNI	Cluster Auto SAN Validation
N	*	*	invalid	invalid	invalid	invalid
Y	N	N	BTLSP Hostname	DNS SAN matches BTLSP.Hostname	N	N
Y	N	Y	BTLSP Hostname	DNS SAN matches BTLSP.Hostname	N	N
Y	Y	N	BTLSP Hostname	DNS SAN matches BTLSP.Hostname or DNS/URI match BTLSP.DNS/URI SANs	N	N
Y	Y	Y	Nil	DNS/URI match BTLSP.DNS/URI SANs	Y (Request Host Header)	N
N/A	N/A	N	Nil	Nil	Y (Request Host Header)	Y
N/A	N/A	Y	Backend SNI	DNS SAN matches Backend.SNI	N	N

Which issue(s) this PR fixes:

Related #4610, #6901

Release Notes: Yes/No

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 71.08%. Comparing base (160c4aa) to head (aec029e).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7014      +/-   ##
==========================================
- Coverage   71.10%   71.08%   -0.02%     
==========================================
  Files         228      228              
  Lines       40640    40676      +36     
==========================================
+ Hits        28897    28916      +19     
- Misses      10052    10065      +13     
- Partials     1691     1695       +4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[arkodg]

can we reuse upstream definition here ?

[guydc]

Sorry, I actually removed this option for now. Auto SAN SNI validation is inferred for situations where auto SNI is used.

In the future, we can expand the backend API to also include static SAN validation, achieving full parity with BTLSP, but it's out of scope for this PR.

[arkodg]

sgtm

[zirain]

should we move the as part of make docs to reduce the conflict when there's multiple PR change API?

[arkodg]

LGTM thanks