Add ecdh_curves support (#2543)

* Add ecdh_curves support to Gateway

Signed-off-by: Faseela K <[email protected]>

* Add release notes

Signed-off-by: Faseela K <[email protected]>

* Support ecdh_curves for destination_rule

Signed-off-by: Faseela K <[email protected]>

* Fix release note

Signed-off-by: Faseela K <[email protected]>

* Add ecdh_curves to MeshConfig and remove from DestinationRule

Signed-off-by: Faseela K <[email protected]>

* rename the TLSConfig for external traffic

Signed-off-by: Faseela K <[email protected]>

* Make the config mesh_external

Signed-off-by: Faseela K <[email protected]>

* Retain only MeshConfig changes

Signed-off-by: Faseela K <[email protected]>

* Manually fix proto.lock

Signed-off-by: Faseela K <[email protected]>

* make gen

Signed-off-by: Faseela K <[email protected]>

* rebase

Signed-off-by: Faseela K <[email protected]>

* Edit ECDH description

Signed-off-by: Faseela K <[email protected]>

* enhance mesh external description

Signed-off-by: Faseela K <[email protected]>

* Clarify ecdh curves documentation

Signed-off-by: Faseela K <[email protected]>

* rebase

Signed-off-by: Faseela K <[email protected]>

---------

Signed-off-by: Faseela K <[email protected]>

Author: kfaseela

mesh/v1alpha1/config.pb.go

@@ -1121,13 +1121,34 @@ message MeshConfig {
     // In the current Istio implementation, the maximum TLS protocol version
     // is TLS 1.3.
     TLSProtocol min_protocol_version = 1;
+    //
+    // Optional: If specified, the TLS connection will only support the specified ECDH curves for the DH key exchange.
+    // If not specified, the default curves enforced by envoy will be used. For details about the default curves, refer to
+    // [Ecdh Curves](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto)
+    repeated string ecdh_curves = 2;
   }
 
+  // The below configuration parameters can be used to specify TLSConfig for in-mesh and mesh-external TLS traffic.
+  // For example, a user could enable min TLS version for in-mesh traffic and specify a curve for mesh external traffic like below:
+  // meshConfig:
+  //   meshMTLS:
+  //     minProtocolVersion: TLSV1_3
+  //   meshExternalTLS:
+  //     ecdhCurves:
+  //       - P-256
+  //       - P-512
+  //
   // Configuration of mTLS for traffic between workloads within the mesh.
+  // Mesh mTLS does not respect ECDH curves.
   TLSConfig mesh_mTLS = 63;
+  //
+  // Configuration of TLS for mesh external traffic(i.e. the traffic entering or leaving the mesh).
+  // This includes any TLS mode except ISTIO_MUTUAL mTLS. For ISTIO_MUTUAL settings, meshMTLS configuration should be used.
+  // Note: Mesh external does not respect min TLS version configured here currently.
+  TLSConfig mesh_external_TLS = 64;
 
   // $hide_from_docs
-  // Next available field number: 64
+  // Next available field number: 65
   reserved 1;
   reserved "mixer_check_server";
   reserved 2;

mesh/v1alpha1/config.proto

@@ -34818,6 +34818,11 @@
                 "id": 63,
                 "name": "mesh_mTLS",
                 "type": "TLSConfig"
+              },
+              {
+                "id": 64,
+                "name": "mesh_external_TLS",
+                "type": "TLSConfig"
               }
             ],
             "reserved_ids": [
@@ -35575,6 +35580,12 @@
                     "id": 1,
                     "name": "min_protocol_version",
                     "type": "TLSProtocol"
+                  },
+                  {
+                    "id": 2,
+                    "name": "ecdh_curves",
+                    "type": "string",
+                    "is_repeated": true
                   }
                 ]
               }

mesh/v1alpha1/istio.mesh.v1alpha1.gen.json

@@ -0,0 +1,8 @@
+apiVersion: release-notes/v2
+kind: feature
+area: security
+issue:
+  - https://github.com/istio/istio/issues/41645
+releaseNotes:
+  - |
+    **Added** ecdh_curves support for mesh-external traffic through MeshConfig API.