TLS configuration API (phase 1)

[lei-tang]

(This is used to request new product features, please visit https://discuss.istio.io for questions on using Istio)

Describe the feature request
The feature is described in its design document.

Describe alternatives you've considered
Alternatives are discussed in the design document.

Affected product area (please put an X in all that apply)

[ ] Configuration Infrastructure
[ ] Docs
[ ] Installation
[ ] Networking
[ ] Performance and Scalability
[ ] Policies and Telemetry
[X ] Security
[ ] Test and Release
[ ] User Experience

Additional context

[SpecialYang]

How can I set global tls version for all gateways? By providing default tls version for gateways, users can also explicitly set tls version in specified gateway resource with high priority.
I am little confused that why this api can not applied on ingress and egress gateways for consistent user experience.

[lei-tang]

TLS version for gateways can be configured through minProtocolVersion and maxProtocolVersion of ServerTLSSettings( https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings). This API is different from the TLS API on gateways: this API is for TLS between workloads in a mesh whereas the the TLS API on gateways is for the external traffic to gateway servers (hence the name ServerTLSSettings).

[SpecialYang]

Sometimes, we may hope to restrict tls version for all ingress gateways via meshconfig instead of doing duplicated works on every gateway resource.

[lei-tang]

I concur that there is value to restrict TLS version for all ingress gateways through a single configuration.

[costinm]

I wouldn't mind a mechanism to provide defaults - but MeshConfig is not the right place. Keeping in mind we plan to move to the K8S Gateway API, which defines a much cleaner policy attachment mechanism: this would map to a GatewayClass attached policy.

Ideally such policy would be discussed in the K8S WG, so other implementations of the API use the same policy. We expect Istio users to integrate and use other gateway implementations ( for example in cases of global load balancing, etc ) - so policies that are cross-vendor are best.

IMO another hack in MeshConfig would be a move in the wrong direction and create yet another migration problem.

[SpecialYang]

Ideally such policy would be discussed in the K8S WG, so other implementations of the API use the same policy. We expect Istio users to integrate and use other gateway implementations ( for example in cases of global load balancing, etc ) - so policies that are cross-vendor are best.

Make sense. Now, do we have some relative documents that demonstrate how to integrate other gateway implementations with istio.

[howardjohn]

Work here is done