Migrate from using bind_to_port=false to filter chains.

[PiotrSikora]

Envoy removed support for bind_to_port (envoyproxy/envoy#5288), which has been marked as deprecated_v1 since 2017-08-15 (envoyproxy/data-plane-api@86de1f2), and announced to be removed on 2018-03-15 (https://groups.google.com/forum/#!topic/envoy-announce/Lb1QZcSclGQ), so it was long time coming, but we cannot upgrade Envoy in Istio Proxy now...

The feature was superseded by filter chains, and so we should migrate from using multiple listeners with bind_to_port=false to a single listener with multiple filter chains.

cc @duderino @costinm @rshriram @knrc

[PiotrSikora]

Re-removal tracked upstream: envoyproxy/envoy#5355

[PiotrSikora]

Note: Migration to filter chains will require split to separate inbound/outbound listeners (see: #6259), since we need to have different listener filters in both cases (notably, we need TLS Inspector in the inbound listener for the PERMISSIVE mode, but we cannot have in the outbound listener).

[duderino]

@philrud this would be a good first meaty bug.

[duderino]

@phildrud how about we give this to @silentdai instead? He's going to work on the filter chain discovery service in the Envoy-side, so it may make sense for him to do the control plan side too

CC @htuch and @alyssawilk

[stale]

This issue has been automatically marked as stale because it has not had activity in the last 90 days. It will be closed in the next 30 days unless it is tagged "help wanted" or other activity occurs. Thank you for your contributions.

[lambdai]

Working in progress. Currently we cannot move to filter chain due to user impact. If we move migrate the outbound listener to adopt filterchain, any filter chain change will drain the listener and all the filter chains are impacted.
We need Filter Chain Discovery Service, or a subset which restrict the impact of other filter chain.

[lambdai]

The progress we made as of istio 1.3:

• split capture inbound and outbound listeners
• the virtual inbound listener is fully migrated to filter chains

in istio 1.4
Implement FCDS in envoy and adopt in istio
istio will deprecate bind_to_port listeners outbound listeners

[duderino]

Thanks for the update. I'm moving this to the next release so we don't keep nagging it for the 1.3 release.

[howardjohn]

@lambdai are we expecting FCDS to be done by 1.4? Seems like this is likely a 1.5 or later item?

[duderino]

I think @lambdai should work on this nowish, but I have no opinion on whether 1.4 or 1.5 is feasible

[lambdai]

The goal is to be done at 1.4 unless higher priority task reaches. E.g vulnerability...

[duderino]

Well stated :)

[howardjohn]

Update 6 years later: this is still desired, but low priority

[howardjohn]

We will want to implement #36596 as part of this