app: istiod
    istio: pilot
    release: {{ .Release.Name }}
spec:
  ports:
    - port: 15010
      name: grpc-xds # plaintext
      protocol: TCP
    - port: 15012
      name: https-dns # mTLS with k8s-signed cert
      protocol: TCP
    - port: 443
      name: https-webhook # validation and injection
      targetPort: 15017
      protocol: TCP
    - port: 15014
      name: http-monitoring # prometheus stats

apiVersion: release-notes/v2
kind: bug-fix
area: traffic-management
issue:
- 35733
releaseNotes:
- |
  **Fixed** an issue causing mTLS errors for traffic on port 22, by including port 22 in iptables by default.

upgradeNotes:
- title: Port 22 iptables capture changes
  content: |
    In previous versions, port 22 was excluded from iptables capture. This mitigates risk of getting locked out of a VM

  curves to `P-256`. These restrictions apply on the following data paths:

  * mTLS communication between Envoy proxies;
  * regular TLS on the downstream and the upstream of Envoy proxies (e.g. gateway);
  * Google gRPC side requests from Envoy proxies (e.g. Stackdriver extensions);
  * Istiod xDS server;
  * Istiod injection and validation webhook servers.

	CacheTTL time.Duration

	// CAContentProvider are the options for verifying incoming connections using mTLS and directly assigning to users.
	// Generally this is the CA bundle file used to authenticate client certificates
	// If this is nil, then mTLS will not be used.
	ClientCertificateCAContentProvider dynamiccertificates.CAContentProvider

	APIAudiences authenticator.Audiences

# Authentication policy to enable mutual TLS for all services (that have sidecar) in the mesh.
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: istio-config
spec:
  mtls:
    mode: STRICT
---
# Corresponding destination rule to configure client side to use mutual TLS when talking to
# any service (host) in the mesh.
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:

      supported even if the port number is not defined in a service, a special pass through filter chain will be added
      to respect the corresponidng per-port-level mTLS specification.
      Pleae check your PeerAuthentication to make sure you are not using the per-port-level configuration on pass through

var (
	CompliancePolicy = env.Register("COMPLIANCE_POLICY", "",
		`If set, applies policy-specific restrictions over all existing TLS
settings, including in-mesh mTLS and external TLS. Valid values are:

* '' or unset places no additional restrictions.
* 'fips-140-2' which enforces a version of the TLS protocol and a subset
of cipher suites overriding any user preferences or defaults for all runtime

  - hosts:
    - "./*"
---
# Authentication policy to enable mutual TLS for all services (that have sidecar) in the mesh.
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: istio-config
spec:
  mtls:
    mode: STRICT
---
# Corresponding destination rule to configure client side to use mutual TLS when talking to
# any service (host) in the mesh.

releaseNotes:
- |
  **Removed** the protocol detection timeout by default, reducing traffic failures during slow connections.
upgradeNotes:
- title: Protocol Detection Timeout Changes
  content: |
    In order to support permissive mTLS traffic as well as [automatic protocol detection](istio.io/latest/docs/ops/configuration/traffic-management/protocol-selection/#automatic-protocol-selection),

				WithDefaultFilters(1, 1).
				FromMatch(match.ServiceName(from.NamespacedName())).
				ToMatch(match.ServiceName(to.NamespacedName())).
				Run(func(t framework.TestContext, from echo.Instance, to echo.Target) {
					// Verify mTLS works between a and b
					opts := echo.CallOptions{
						To: to,
						Port: echo.Port{
							Name: "http",
						},
					}
					opts.Check = check.And(check.OK(), check.ReachedTargetClusters(t))