Feature Request: Expose TLS `signature_algorithms` configuration

[juanjoku]

Currently, Emissary allows users to configure cipher_suites and ecdhe_curves for TLS connections, but it does not expose configuration for the signature_algorithms parameter. This limits our ability to fully customize and secure TLS negotiations as the underlying Envoy proxy supports it.

We encountered a specific problem where we needed to use the ed25519 signature algorithm for a modern TLS setup. Because Emissary does not allow configuration of the signature_algorithms list, ed25519 was not available by default. We were forced to work around this limitation by building a custom Docker image that hardcodes our desired signature algorithms into the Python code:

v3.7.0/v3tls.py

def add_context(self, ctx: IRTLSContext) -> None:
    [...]
    # Hardcode signature_algorithms for all TLS contexts
    self.update_tls_cipher("signature_algorithms", [
        "ecdsa_secp256r1_sha256",
        "rsa_pss_rsae_sha256",
        "rsa_pkcs1_sha256",
        "ecdsa_secp384r1_sha384",
        "rsa_pss_rsae_sha384",
        "rsa_pkcs1_sha384",
        "rsa_pss_rsae_sha512",
        "rsa_pkcs1_sha512",
        "rsa_pkcs1_sha1",
        "ed25519",
        "ecdsa_secp521r1_sha512",
        "ecdsa_sha1"
    ])

We would like Emissary to expose the signature_algorithms configuration option in the TLSContext resource, similar to how cipher_suites and ecdhe_curves are exposed.

Envoy fully supports the signature_algorithms parameter in its TLS configuration.

Exposing this parameter is crucial for implementing modern security best practices and complying with specific organizational security requirements that may mandate or recommend certain algorithms over others.