Gateway supports custom cipher suites (#58381)

Author: fraenkel

pilot/pkg/config/kube/gateway/conversion.go

@@ -55,6 +55,7 @@ import (
 	"istio.io/istio/pkg/config/schema/gvk"
 	"istio.io/istio/pkg/config/schema/kind"
 	schematypes "istio.io/istio/pkg/config/schema/kubetypes"
+	"istio.io/istio/pkg/config/security"
 	"istio.io/istio/pkg/kube/controllers"
 	"istio.io/istio/pkg/kube/krt"
 	"istio.io/istio/pkg/ptr"
@@ -66,6 +67,7 @@ const (
 	gatewayTLSTerminateModeKey = "gateway.istio.io/tls-terminate-mode"
 	addressTypeOverride        = "networking.istio.io/address-type"
 	gatewayClassDefaults       = "gateway.istio.io/defaults-for-class"
+	gatewayTLSCipherSuites     = "gateway.istio.io/tls-cipher-suites"
 )
 
 func sortConfigByCreationTime(configs []config.Config) {
@@ -2114,7 +2116,7 @@ func buildTLS(
 		return nil, nil
 	}
 	// Explicitly not supported: file mounted
-	// Not yet implemented: TLS mode, https redirect, max protocol version, SANs, CipherSuites, VerifyCertificate
+	// Not yet implemented: TLS mode, https redirect, max protocol version, SANs, VerifyCertificate
 	out := &istio.ServerTLSSettings{
 		HttpsRedirect: false,
 	}
@@ -2215,6 +2217,12 @@ func buildTLS(
 			out.Mode = istio.ServerTLSSettings_AUTO_PASSTHROUGH
 		}
 	}
+	if opts := tls.Options[gatewayTLSCipherSuites]; opts != "" {
+		ciphers := security.FilterCipherSuites(slices.Map(strings.Split(string(opts), ","), strings.TrimSpace))
+		if len(ciphers) > 0 {
+			out.CipherSuites = ciphers
+		}
+	}
 	return out, nil
 }
 

pilot/pkg/config/kube/gateway/testdata/tls.status.yaml.golden

@@ -258,6 +258,153 @@ status:
 ---
 apiVersion: gateway.networking.k8s.io/v1beta1
 kind: Gateway
+metadata:
+  name: gateway-invalid-ciphers
+  namespace: istio-system
+spec: null
+status:
+  addresses:
+  - type: IPAddress
+    value: 1.2.3.4
+  conditions:
+  - lastTransitionTime: fake
+    message: Resource accepted
+    reason: Accepted
+    status: "True"
+    type: Accepted
+  - lastTransitionTime: fake
+    message: Resource programmed, assigned to service(s) istio-ingressgateway.istio-system.svc.domain.suffix:34000
+    reason: Programmed
+    status: "True"
+    type: Programmed
+  listeners:
+  - attachedRoutes: 0
+    conditions:
+    - lastTransitionTime: fake
+      message: No errors found
+      reason: Accepted
+      status: "True"
+      type: Accepted
+    - lastTransitionTime: fake
+      message: No errors found
+      reason: NoConflicts
+      status: "False"
+      type: Conflicted
+    - lastTransitionTime: fake
+      message: No errors found
+      reason: Programmed
+      status: "True"
+      type: Programmed
+    - lastTransitionTime: fake
+      message: No errors found
+      reason: ResolvedRefs
+      status: "True"
+      type: ResolvedRefs
+    name: passthrough
+    supportedKinds:
+    - group: gateway.networking.k8s.io
+      kind: TLSRoute
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: Gateway
+metadata:
+  name: gateway-mixed-ciphers
+  namespace: istio-system
+spec: null
+status:
+  addresses:
+  - type: IPAddress
+    value: 1.2.3.4
+  conditions:
+  - lastTransitionTime: fake
+    message: Resource accepted
+    reason: Accepted
+    status: "True"
+    type: Accepted
+  - lastTransitionTime: fake
+    message: Resource programmed, assigned to service(s) istio-ingressgateway.istio-system.svc.domain.suffix:34000
+    reason: Programmed
+    status: "True"
+    type: Programmed
+  listeners:
+  - attachedRoutes: 0
+    conditions:
+    - lastTransitionTime: fake
+      message: No errors found
+      reason: Accepted
+      status: "True"
+      type: Accepted
+    - lastTransitionTime: fake
+      message: No errors found
+      reason: NoConflicts
+      status: "False"
+      type: Conflicted
+    - lastTransitionTime: fake
+      message: No errors found
+      reason: Programmed
+      status: "True"
+      type: Programmed
+    - lastTransitionTime: fake
+      message: No errors found
+      reason: ResolvedRefs
+      status: "True"
+      type: ResolvedRefs
+    name: passthrough
+    supportedKinds:
+    - group: gateway.networking.k8s.io
+      kind: TLSRoute
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: Gateway
+metadata:
+  name: gateway-valid-ciphers
+  namespace: istio-system
+spec: null
+status:
+  addresses:
+  - type: IPAddress
+    value: 1.2.3.4
+  conditions:
+  - lastTransitionTime: fake
+    message: Resource accepted
+    reason: Accepted
+    status: "True"
+    type: Accepted
+  - lastTransitionTime: fake
+    message: Resource programmed, assigned to service(s) istio-ingressgateway.istio-system.svc.domain.suffix:34000
+    reason: Programmed
+    status: "True"
+    type: Programmed
+  listeners:
+  - attachedRoutes: 0
+    conditions:
+    - lastTransitionTime: fake
+      message: No errors found
+      reason: Accepted
+      status: "True"
+      type: Accepted
+    - lastTransitionTime: fake
+      message: No errors found
+      reason: NoConflicts
+      status: "False"
+      type: Conflicted
+    - lastTransitionTime: fake
+      message: No errors found
+      reason: Programmed
+      status: "True"
+      type: Programmed
+    - lastTransitionTime: fake
+      message: No errors found
+      reason: ResolvedRefs
+      status: "True"
+      type: ResolvedRefs
+    name: passthrough
+    supportedKinds:
+    - group: gateway.networking.k8s.io
+      kind: TLSRoute
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: Gateway
 metadata:
   name: gateway2
   namespace: istio-system

pilot/pkg/config/kube/gateway/testdata/tls.yaml

@@ -134,6 +134,72 @@ spec:
     tls:
       mode: Passthrough
 ---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: Gateway
+metadata:
+  name: gateway-valid-ciphers
+  namespace: istio-system
+spec:
+  addresses:
+  - value: istio-ingressgateway
+    type: Hostname
+  gatewayClassName: istio
+  listeners:
+  - name: passthrough
+    port: 34000
+    protocol: TLS
+    allowedRoutes:
+      namespaces:
+        from: All
+    tls:
+      mode: Passthrough
+      options:
+        gateway.istio.io/tls-cipher-suites: "ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-GCM-SHA256"
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: Gateway
+metadata:
+  name: gateway-invalid-ciphers
+  namespace: istio-system
+spec:
+  addresses:
+  - value: istio-ingressgateway
+    type: Hostname
+  gatewayClassName: istio
+  listeners:
+  - name: passthrough
+    port: 34000
+    protocol: TLS
+    allowedRoutes:
+      namespaces:
+        from: All
+    tls:
+      mode: Passthrough
+      options:
+        gateway.istio.io/tls-cipher-suites: "bogus,bad"
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: Gateway
+metadata:
+  name: gateway-mixed-ciphers
+  namespace: istio-system
+spec:
+  addresses:
+  - value: istio-ingressgateway
+    type: Hostname
+  gatewayClassName: istio
+  listeners:
+  - name: passthrough
+    port: 34000
+    protocol: TLS
+    allowedRoutes:
+      namespaces:
+        from: All
+    tls:
+      mode: Passthrough
+      options:
+        gateway.istio.io/tls-cipher-suites: "bad, ECDHE-RSA-AES128-GCM-SHA256"
+---
 apiVersion: gateway.networking.k8s.io/v1alpha2
 kind: TLSRoute
 metadata:
@@ -179,4 +245,4 @@ spec:
   rules:
   - backendRefs:
     - name: httpbin
-      port: 80
+      port: 80

pilot/pkg/config/kube/gateway/testdata/tls.yaml.golden

@@ -1,5 +1,70 @@
 apiVersion: networking.istio.io/v1
 kind: Gateway
+metadata:
+  annotations:
+    internal.istio.io/gateway-semantics: gateway
+    internal.istio.io/gateway-service: istio-ingressgateway.istio-system.svc.domain.suffix
+    internal.istio.io/parents: Gateway/gateway-invalid-ciphers/passthrough.istio-system
+    internal.istio.io/service-account-name: ""
+  name: gateway-invalid-ciphers~istio-autogenerated-k8s-gateway~passthrough
+  namespace: istio-system
+spec:
+  servers:
+  - hosts:
+    - '*/*'
+    port:
+      name: default
+      number: 34000
+      protocol: TLS
+    tls: {}
+---
+apiVersion: networking.istio.io/v1
+kind: Gateway
+metadata:
+  annotations:
+    internal.istio.io/gateway-semantics: gateway
+    internal.istio.io/gateway-service: istio-ingressgateway.istio-system.svc.domain.suffix
+    internal.istio.io/parents: Gateway/gateway-mixed-ciphers/passthrough.istio-system
+    internal.istio.io/service-account-name: ""
+  name: gateway-mixed-ciphers~istio-autogenerated-k8s-gateway~passthrough
+  namespace: istio-system
+spec:
+  servers:
+  - hosts:
+    - '*/*'
+    port:
+      name: default
+      number: 34000
+      protocol: TLS
+    tls:
+      cipherSuites:
+      - ECDHE-RSA-AES128-GCM-SHA256
+---
+apiVersion: networking.istio.io/v1
+kind: Gateway
+metadata:
+  annotations:
+    internal.istio.io/gateway-semantics: gateway
+    internal.istio.io/gateway-service: istio-ingressgateway.istio-system.svc.domain.suffix
+    internal.istio.io/parents: Gateway/gateway-valid-ciphers/passthrough.istio-system
+    internal.istio.io/service-account-name: ""
+  name: gateway-valid-ciphers~istio-autogenerated-k8s-gateway~passthrough
+  namespace: istio-system
+spec:
+  servers:
+  - hosts:
+    - '*/*'
+    port:
+      name: default
+      number: 34000
+      protocol: TLS
+    tls:
+      cipherSuites:
+      - ECDHE-ECDSA-AES128-GCM-SHA256
+      - ECDHE-RSA-AES128-GCM-SHA256
+---
+apiVersion: networking.istio.io/v1
+kind: Gateway
 metadata:
   annotations:
     internal.istio.io/gateway-semantics: gateway

releasenotes/notes/58366.yaml

@@ -0,0 +1,8 @@
+apiVersion: release-notes/v2
+kind: bug-fix
+area: traffic-management
+issue:
+  - 58366
+releaseNotes:
+- |
+  **Added** an option, `gateway.istio.io/tls-cipher-suites`, to specify the custom cipher suites on a Gateway. The value is a comma separated list of cipher suites.