Add support for ztunnel

[msune]

Cilium Feature Proposal

ztunnel is an implementation of the HTTP-Based Overlay Network Environment (HBONE) which provides L4 proxying solution through and mTLS HTTP/2 tunnel.

Is your proposed feature related to a problem?

No. This feature improves the throughput of TCP traffic between pods compared to IPSEC/WG under certain conditions. It also provides mutual authentication (mTLS) between the ztunnel endpoints.

Describe the feature you'd like

Add ztunnel as an alternative datapath encryption mechanism to provide pod-to-pod encryption with mutual authentication (mTLS).

High level task list (draft)

• CFP: integration of ztunnel in Cilium
• Datapath support
  • Integrate with eBPF to forward selected traffic to/from ztunnel
  • Policy enforcement changes - if any - pre/post ztunnel interception
  • Testing: unit and component
• Control plane support
  • Define API/Annotations/CRD for ztunnel
  • ztunnel lifecycle management (launch, monitor, teardown).
  • Identity and certificate management
  • Testing: unit and component
• Observability:
  • Integrate ztunnel metrics and logs with Hubble
  • Enable visibility into encrypted connections, identities, and HBONE sessions
  • Testing: unit and component
• E2E testing
• Documentation
  • Describe architecture, configuration, and usage of ztunnel within Cilium

[github-actions]

This issue has been automatically marked as stale because it has not
had recent activity. It will be closed if no further activity occurs.

[Brightside56]

No. This feature improves the throughput of TCP traffic between pods compared to IPSEC/WG under certain conditions. It also provides mutual authentication (mTLS) between the ztunnel endpoints.

Will mTLS work for pod-to-pod traffic on same node?

[msune]

Will mTLS work for pod-to-pod traffic on same node?

Yes