apiVersion: release-notes/v2
kind: bug-fix
area: traffic-management
issue:
- 35733
releaseNotes:
- |
  **Fixed** an issue causing mTLS errors for traffic on port 22, by including port 22 in iptables by default.

upgradeNotes:
- title: Port 22 iptables capture changes
  content: |
    In previous versions, port 22 was excluded from iptables capture. This mitigates risk of getting locked out of a VM

  curves to `P-256`. These restrictions apply on the following data paths:

  * mTLS communication between Envoy proxies;
  * regular TLS on the downstream and the upstream of Envoy proxies (e.g. gateway);
  * Google gRPC side requests from Envoy proxies (e.g. Stackdriver extensions);
  * Istiod xDS server;
  * Istiod injection and validation webhook servers.

	CacheTTL time.Duration

	// CAContentProvider are the options for verifying incoming connections using mTLS and directly assigning to users.
	// Generally this is the CA bundle file used to authenticate client certificates
	// If this is nil, then mTLS will not be used.
	ClientCertificateCAContentProvider dynamiccertificates.CAContentProvider

	APIAudiences authenticator.Audiences

	}
	for _, r := range extraRoots {
		if err := peerCertVerifier.AddMappingFromPEM("cluster.local", r); err != nil {
			t.Fatal(err)
		}
	}
	return grpc.Creds(credentials.NewTLS(&tls.Config{
		Certificates: []tls.Certificate{cert},
		ClientAuth:   tls.VerifyClientCertIfGiven,
		ClientCAs:    peerCertVerifier.GetGeneralCertPool(),
		VerifyPeerCertificate: func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {

# Authentication policy to enable mutual TLS for all services (that have sidecar) in the mesh.
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: istio-config
spec:
  mtls:
    mode: STRICT
---
# Corresponding destination rule to configure client side to use mutual TLS when talking to
# any service (host) in the mesh.
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:

		makeInstance(httpStatic, "2.2.2.2", 18080, httpStatic.Spec.(*networking.ServiceEntry).Ports[1], nil, MTLS),
		makeInstance(httpStatic, "3.3.3.3", 1080, httpStatic.Spec.(*networking.ServiceEntry).Ports[0], nil, MTLS),
		makeInstance(httpStatic, "3.3.3.3", 8080, httpStatic.Spec.(*networking.ServiceEntry).Ports[1], nil, MTLS),

      supported even if the port number is not defined in a service, a special pass through filter chain will be added
      to respect the corresponidng per-port-level mTLS specification.
      Pleae check your PeerAuthentication to make sure you are not using the per-port-level configuration on pass through

var (
	CompliancePolicy = env.Register("COMPLIANCE_POLICY", "",
		`If set, applies policy-specific restrictions over all existing TLS
settings, including in-mesh mTLS and external TLS. Valid values are:

* '' or unset places no additional restrictions.
* 'fips-140-2' which enforces a version of the TLS protocol and a subset
of cipher suites overriding any user preferences or defaults for all runtime

	// CertChainFilename is mTLS chain file
	CertChainFilename = "cert-chain.pem"
	// KeyFilename is mTLS private key
	KeyFilename = "key.pem"
	// RootCertFilename is mTLS root cert
	RootCertFilename = "root-cert.pem"

	// ConfigPathDir config directory for storing envoy json config files.
	ConfigPathDir = "./etc/istio/proxy"

  - hosts:
    - "./*"
---
# Authentication policy to enable mutual TLS for all services (that have sidecar) in the mesh.
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: istio-config
spec:
  mtls:
    mode: STRICT
---
# Corresponding destination rule to configure client side to use mutual TLS when talking to
# any service (host) in the mesh.