Customize Per Endpoint TLS Settings #8016
Description
Title: Feature Request, Customize Per Endpoint TLS config
Description:
Today Envoy each cluster has a single TLS configuration. We would like to be able to customize TLS config as per endpoint basis.
A potential solution could be extend the cluster filter, interface. At the time of a transport socket is about to be created, the cluster filter callbacks can be invoked, and return TLS configuration.
Welcome some other API/mechanism design as alternatives.
Use Case
With context of Istio, we are able to let control plane distribute label information to each endpoint(able to accept mTLS or not). Then client envoy, with this information, initiate TCP or TLS connection to different endpoints, decided as per endpoint level.
This eases the mTLS rollout a lot, customers don't have to configure the entire cluster TLS config. Instead they can get more and more mTLS traffic as more and more server side endpoints migrated with Envoy sidecar injected.
Other use cases that I can think of
Rollout new PKI configuration slowly. Imagine a customer want to rollout new PKI, root for example. On server side can set up multiple filter chain, with different TLS context, and filter chain match. The client side, customer can implement their own cluster filter, to slowly roll out new TLS configuration for subset of the endpoints. The percentage can be specified via part of the cluster filter config.
Other similar TLS related config rollout can be applied as well, e.g. file based key/cert to SDS based.
The rollout of the TLS is then decoupled with Envoy binary rollout lifecycle.