feat(translator): client tls session resumption

[guydc]

What type of PR is this?

What this PR does / why we need it:

Introduces an API for TLS session management:

• Session Timeout
• Disable TLS resumption by default. Allow users to opt-in.
• Adds E2E Tests and Docs for ClientTrafficPolicy TLS settings

Which issue(s) this PR fixes:
Fixes #4268, #2422, #2421

[codecov]

Codecov Report

Attention: Patch coverage is 90.00000% with 2 lines in your changes missing coverage. Please review.

Project coverage is 65.80%. Comparing base (0f4cb27) to head (d24d5c0).

Files with missing lines	Patch %	Lines
internal/gatewayapi/clienttrafficpolicy.go	80.00%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4293      +/-   ##
==========================================
+ Coverage   65.72%   65.80%   +0.08%     
==========================================
  Files         200      200              
  Lines       24125    24145      +20     
==========================================
+ Hits        15856    15889      +33     
+ Misses       7135     7124      -11     
+ Partials     1134     1132       -2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[guydc]

Following yesterday's community meeting, some additional industry context.

Currently, Mozilla's SSL config generator recommends disabling stateless resumption (session tickets) for nginx, apache and haproxy for security reasons.

• https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=modern&openssl=1.1.1k&guideline=5.7
• https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=modern&openssl=1.1.1k&guideline=5.7
• https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=modern&openssl=1.1.1k&guideline=5.7

This is mostly due to insufficient rotation of session ticket encryption keys in these projects. There is an ongoing discussion on changing the recommendation for newer versions of nginx where keys are rotated: mozilla/server-side-tls#135.

BoringSSL rotates encryption keys by default every 48 hours: https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Session-tickets. Envoy doesn't change this behavior or make the rotation schedule configurable. Industry leaders like cloudflare rotate session ticket encryption keys every hour: https://blog.cloudflare.com/keyless-ssl-the-nitty-gritty-technical-details/.

There is no security recommendation to disable stateful session resumption. However:

• Stateful resumption is no longer supported in TLSv1.3: https://www.wolfssl.com/tls-1-3-performance-resumption/
• Envoy has a well-known issue that can only be mitigated by disabling stateful session resumption: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#config-route-v3-routematch-tlscontextmatchoptions
• There is no way to synchronize session caches across proxy instances. The effort to support synchronization is significant: RFC: Enable TLS external session cache envoy#14553

nginx ingress by default disables stateful and stateless session resumption, but makes it possible to opt-in:

• https://github.com/kubernetes/ingress-nginx/blob/a9c9a9d51e48f50edd5e8e3084a5c485366ba6c4/rootfs/etc/nginx/template/nginx.tmpl#L426
• https://github.com/kubernetes/ingress-nginx/blob/a9c9a9d51e48f50edd5e8e3084a5c485366ba6c4/rootfs/etc/nginx/template/nginx.tmpl#L432

I propose that we change the current behavior and disable both resumption methods by default, but allow users to opt-in similar to nginx ingress.

[zirain]

need to record how this is generated for future maintenance.

[arkodg]

prefer SessionResumption