Make transport security pluggable

[lizan]

Envoy hardcoded its BoringSSL implementation for transport security. It is hard to provide other protocols or implementations without modifying Envoy core code base. We have use cases and POC work to link alternative protocols internally which is based on gRPC's Transport Security Interface.

My proposal is to make a generic config object TransportSecurityContext, which is contains name and an opaque config, just like filter config. Then using registry to load implementations at config time. Since the v2 APIs are frozen, the new config object will be added as oneof with existing TlsCotnext, so it won't break compatibility.

[htuch]

@alyssawilk this will make you happy.

[alyssawilk]

Indeed! Beyond the internal use cases, it'll also be nice for QUIC (assuming QUIC-envoy integration happens before QUIC-TLS/1.3 integration is complete) Wrappering all our non-SSL-agnostic APIs internally for QUIC was Not Fun (TM)

[mattklein123]

This sounds reasonable to me. Please sync with @PiotrSikora on this also.