Enable configuring Envoy private key provider through ProxyConfig

[rveerama1]

Introduction

Since 1.20 Envoy has supported configuring private key providers over xDS. Also, the first in-tree private key provider (CryptoMB) was released in Envoy 1.20 contrib build (Ref PR: envoyproxy/envoy#17826 ).

The idea in CryptoMB private key provider is that incoming TLS handshakes’ RSA operations are accelerated using AVX-512 multi-buffer instructions. For more details, see this Intel whitepaper which contains some more information about the AVX-512 instructions and potential performance increase: https://www.intel.com/content/www/us/en/architecture-and-technology/crypto-acceleration-in-xeon-scalable-processors-wp.html.
An introductory presentation is available here : https://www.intel.com/content/www/us/en/developer/videos/accelerate-envoy-with-advanced-vector-extensions.html

The private key providers can be configured using SDS protocol: the private_key field in Envoy Secret is replaced with the private key provider configuration. For example,

tls_certificates:
   certificate_chain: { "filename": "/path/cert.pem" }
   private_key: { "filename": "/path/key.pem" }

could be replaced with:

 tls_certificates:
   certificate_chain: { "filename": "/path/cert.pem" }
   private_key_provider:
     provider_name: cryptomb
     typed_config:
       "@type": type.googleapis.com/envoy.extensions.private_key_providers.cryptomb.v3alpha.CryptoMbPrivateKeyMethodConfig
       private_key: { "filename": "/path/key.pem" }
       poll_delay: 0.1s

The problem is that private key providers are typically host-dependent: for example, CryptoMb provider requires a host with support for AVX-512 instruction set. Therefore, we propose an extension mechanism, which allows for dynamic configuration of private key providers.

To set the mesh wide defaults, configure the defaultConfig section of meshConfig. For example:

    meshConfig:
      defaultConfig:
        privateKeyProvider:
          cryptomb:
            pollDelay: 0.01s

This can also be configured on a per-workload basis by configuring the proxy.istio.io/config annotation on the pod.
For example:

    annotations:
      proxy.istio.io/config: |
        privateKeyProvider:
          cryptomb:
            pollDelay: 0.01s

[istio-policy-bot]

😊 Welcome @rveerama1! This is either your first contribution to the Istio api repo, or it's been
awhile since you've been here.

You can learn more about the Istio working groups, code of conduct, and contributing guidelines
by referring to Contributing to Istio.

Thanks for contributing!

Courtesy of your friendly welcome wagon.

[istio-testing]

Hi @rveerama1. Thanks for your PR.

I'm waiting for a istio member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[irisdingbj]

/ok-to-test

[irisdingbj]

@howardjohn This is the API change part PR and the relevant istio change PR is istio/istio#37681
Please help to give a review for this, Thanks!

[rveerama1]

Istio proxy relevant change is here: istio/proxy#3752

[howardjohn]

I am not a huge fan of exposing users to the raw underlying Envoy types -- especially since they are NOT passthrough and istio needs to have code to handle each type.

[lambdai]

The happy path is exciting.
How wide is the AVX-512? What if the the host doesn't offer AVX-512, e.g on a stale VM?

[rveerama1]

What if the the host doesn't offer AVX-512, e.g on a stale VM?

This can be configured mesh wide and per-workload. In this case, user/admin has to configure per-workload basis and deploy it based on some label to that particular node which supports AVX-512.

[ipuustin]

The happy path is exciting. How wide is the AVX-512? What if the the host doesn't offer AVX-512, e.g on a stale VM?

The operations are https://en.wikipedia.org/wiki/AVX-512#IFMA calls, so the registers are 512 bits wide. Internally https://github.com/intel/ipp-crypto/tree/develop/sources/ippcp/crypto_mb library is called to perform the cryptographic operations.

[irisdingbj]

/test-all

[irisdingbj]

@howardjohn Can you please review the latest change? Thanks!

[howardjohn]

This LGTM other than the small comment.

I would like to see approval from some set of @shankgan @myidpt @jacob-delgado @costinm before merging though to make sure there is broader agreement (not all of them needed)

stale

[jacob-delgado]

We are trying to get rid of meshConfig and meshConfig.defaultConfig. I'm thinking this should this be moved to networking/v1beta1/proxy_config.proto and not be used inmeshConfig.defaultConfig or annotations. I'd like to see what the status is of ProxyConfig though before we commit a change.

Since the user cannot put node labels/tolerations and use affinity/anti-affinity on namespaces it needs to go on something that can be placed on a deployment, statefulset or daemonset. For this case ProxyConfig won't suffice and this is the right place to put it.

[jacob-delgado]

LGTM, but it'd be nice to get rid of the name field so that we don't have magic strings in the istio codebase.

[rveerama1]

Thanks for the reviews @howardjohn @jacob-delgado, I have removed the 'name' part and updated the PR. PTAL.