Choose to negotiate client certificate based on header

Hi All,

I’m working on a service that is high throughput. Sometime in the history of this service, we had external clients send a header to signal if they have provided a client certificate for TLS connections. This allows our service to avoid the cost of negotiating client certificates if none was provided.

Is there a way to configure istio to behave the same way? I’m assuming Permissive mTLS mode has to negotiate the certificate to see that one has been omitted, which is what I’m trying to avoid. Could I configure authentication policy to be mTLS based on a header, and regular TLS otherwise?