Chapter 11. Post-quantum cryptography

Prerequisites

• You have logged in to the OpenShift Container Platform web console 4.19+ as a user with the cluster-admin role.
• You have installed the Red Hat OpenShift Service Mesh Operator 3.2.1+.
• You have deployed the Istio and IstioCNI resources.

• You have installed the following CLI tools locally:

  • oc
  • podman
  • curl

Procedure

• Update the Istio control plane to enable PQC by running the following command:

  $ oc apply -f - <<EOF
  apiVersion: sailoperator.io/v1
  kind: Istio
  metadata:
    name: default
  spec:
    version: v1.28.5
    namespace: istio-system
    updateStrategy:
      type: InPlace
    values:
      meshConfig:
        accessLogFile: /dev/stdout
        tlsDefaults:
          ecdhCurves:
          - X25519MLKEM768
  EOF

  • spec.values.meshConfig.tlsDefaults.ecdhCurves defines the setting that applies to all non-mesh Transport Layer Security (TLS) connections in your Istio deployment, including:

    • Ingress gateways: TLS connections from external clients.
    • Egress gateways: TLS connections to external services.
    • External service connections: Any TLS connections to services outside the mesh.
  Note

  This setting does not apply to mesh-internal mutual Transport Layer Security (mTLS). Communication between services within the mesh uses the default Istio mTLS configuration.

  • spec.values.meshConfig.tlsDefaults defines a configuration that is a mesh-wide setting that applies to all gateways and mesh-internal traffic. You cannot enable PQC algorithms for individual workloads. To use different TLS configurations for specific gateways, you must deploy separate control planes with a unique meshConfig.tlsDefaults settings.

Prerequisites

• You have logged in to the OpenShift Container Platform web console 4.19+ as a user with the cluster-admin role.
• You have installed the Red Hat OpenShift Service Mesh Operator 3.2.1+.
• You have deployed the Istio and IstioCNI resources.

• You have installed the following CLI tools locally:

  • oc
  • podman
  • curl

Procedure

• Update the Istio control plane to enable PQC by running the following command:

  $ oc apply -f - <<EOF
  apiVersion: sailoperator.io/v1
  kind: Istio
  metadata:
    name: default
  spec:
    version: v1.28.5
    namespace: istio-system
    updateStrategy:
      type: InPlace
    values:
      pilot:
        env:
          COMPLIANCE_POLICY: "pqc"
  EOF

  • spec.values.pilot.env.COMPLIANCE_POLICY specifies the compliance policy that the Istio control plane enforces. Set the field to pqc to enable PQC.

Prerequisites

• You have logged in to the OpenShift Container Platform web console 4.19+ as a user with the cluster-admin role.
• You have installed the Red Hat OpenShift Service Mesh Operator 3.2.1+.
• You have deployed the Istio and IstioCNI resources with ambient mode enabled.

• You have installed the following CLI tools locally:

  • oc
  • podman
  • curl

Procedure

• Update the Istio control plane and ztunnel to enable PQC by running the following command:

  $ oc apply -f - <<EOF
  apiVersion: sailoperator.io/v1
  kind: Istio
  metadata:
    name: default
  spec:
    version: v1.28.5
    namespace: istio-system
    updateStrategy:
      type: InPlace
    values:
      pilot:
        env:
          COMPLIANCE_POLICY: "pqc"
      ztunnel:
        env:
          COMPLIANCE_POLICY: "pqc"
  EOF

  • spec.values.pilot.env.COMPLIANCE_POLICY specifies the compliance policy for the Istio control plane. Set the field to pqc to enable PQC.
  • spec.values.ztunnel.env.COMPLIANCE_POLICY specifies the compliance policy for ztunnel in ambient mode. Set the field to pqc to enable PQC.