api icon indicating copy to clipboard operation
api copied to clipboard

Published 20 hours ago verified publisher icon istio

TLS configuration API (phase 1)

Open lei-tang opened this issue 2 years ago • 6 comments

(This is used to request new product features, please visit https://discuss.istio.io for questions on using Istio)

Describe the feature request The feature is described in its design document.

Describe alternatives you've considered Alternatives are discussed in the design document.

Affected product area (please put an X in all that apply)

[ ] Configuration Infrastructure [ ] Docs [ ] Installation [ ] Networking [ ] Performance and Scalability [ ] Policies and Telemetry [X ] Security [ ] Test and Release [ ] User Experience

Additional context

lei-tang avatar Mar 16 '22 01:03 lei-tang

How can I set global tls version for all gateways? By providing default tls version for gateways, users can also explicitly set tls version in specified gateway resource with high priority. I am little confused that why this api can not applied on ingress and egress gateways for consistent user experience.

SpecialYang avatar May 16 '22 09:05 SpecialYang

TLS version for gateways can be configured through minProtocolVersion and maxProtocolVersion of ServerTLSSettings( https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings). This API is different from the TLS API on gateways: this API is for TLS between workloads in a mesh whereas the the TLS API on gateways is for the external traffic to gateway servers (hence the name ServerTLSSettings).

lei-tang avatar May 16 '22 17:05 lei-tang

Sometimes, we may hope to restrict tls version for all ingress gateways via meshconfig instead of doing duplicated works on every gateway resource.

SpecialYang avatar May 17 '22 03:05 SpecialYang

I concur that there is value to restrict TLS version for all ingress gateways through a single configuration.

lei-tang avatar May 17 '22 16:05 lei-tang

I wouldn't mind a mechanism to provide defaults - but MeshConfig is not the right place. Keeping in mind we plan to move to the K8S Gateway API, which defines a much cleaner policy attachment mechanism: this would map to a GatewayClass attached policy.

Ideally such policy would be discussed in the K8S WG, so other implementations of the API use the same policy. We expect Istio users to integrate and use other gateway implementations ( for example in cases of global load balancing, etc ) - so policies that are cross-vendor are best.

IMO another hack in MeshConfig would be a move in the wrong direction and create yet another migration problem.

costinm avatar May 17 '22 17:05 costinm

Ideally such policy would be discussed in the K8S WG, so other implementations of the API use the same policy. We expect Istio users to integrate and use other gateway implementations ( for example in cases of global load balancing, etc ) - so policies that are cross-vendor are best.

Make sense. Now, do we have some relative documents that demonstrate how to integrate other gateway implementations with istio.

SpecialYang avatar May 18 '22 02:05 SpecialYang

Work here is done

howardjohn avatar May 14 '24 23:05 howardjohn