Both mTLS and non-mTLS traffic on same host

Hello everyone,

I am trying to expose an application that supports various types of security:

  • mTLS
  • JWT
  • One-time bootstrap tokens

I am trying to expose this application via istio Gateway, however, I have a strict requirement that this application should be accessible with all of those types of credentials on the same host (dedicated paths are allowed).

So this results in the following use case. I need mTLS termination on my ingress Gateway if a client certificate is provided. However, if there is no client certificate provided, the request should be passed like it is tls.mode = SIMPLE and then I have custom JWT token validation.

I have successfully configured an istio Gateway with different TLS modes (MUTUAL and SIMPLE) on different hosts which in the end result in one and the same VirtualService.

Is there any native istio way or some kind of workaround (ex. EnvoyFilter) for these two types of authentication to work on a single host where mTLS is handled by istio in case of client cert and if there is no client certificate the request is allowed?