startTLS support in service entry

[ceastman-ibm]

Describe the feature request
Since startTLS support has been added to envoy: envoyproxy/envoy#13112

Can it be used in the protocol section of service entries? something like:

apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: postgresql-service-entry
spec:
hosts:

• postgresql.server.com
  location: MESH_EXTERNAL
  ports:
• name: tls
  number: 30101
  protocol: STARTTLS
  resolution: DNS

Describe alternatives you've considered

[ ] Docs
[ ] Installation
[x] Networking
[ ] Performance and Scalability
[ ] Extensions and Telemetry
[ ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure

Additional context

[adityaanand11]

#3588

[ceastman-ibm]

@howardjohn how do we keep this issue from getting closed due to staleness?

[GregHanson]

not stale - I am looking into the implementation

[howardjohn]

Not sure this makes sense. STARTTLS means that the client starts with raw TCP and then 'upgrades' to TLS. protocol: TLS in Istio means we route based on an SNI. The initial connection with STARTTLS does not have SNI, so there is nothing to route beyond protocol: TCP.

Add STARTTLS origination could make sense though.

[iprasla]

This is not a stale issue - this still needs to be addressed.

[remansour]

Can we get an update or ETA on when this will be addressed?

[GregHanson]

@remansour there was a PR started here but was eventually abandoned as consensus could not be reached

[iprasla]

Is there an update on this? It seems like there was discussion and it was suggested that there will be a solution to that. Can it be re-open or be addressed?

[istio-policy-bot]

🚧 This issue or pull request has been closed due to not having had activity from an Istio team member since 2022-06-21. If you feel this issue or pull request deserves attention, please reopen the issue. Please see this wiki page for more information. Thank you for your contributions.

Created by the issue and PR lifecycle manager.