Here is how my configuration looks like (referenced from github’s common examples for XFCC) :
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: xfcc-forward
namespace: istio-system
spec:
configPatches:
- applyTo: NETWORK_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
patch:
operation: MERGE
value:
typed_config:
"@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager"
forward_client_cert_details: ALWAYS_FORWARD_ONLY
set_current_client_cert_details:
subject: true
cert: true
chain: true
Couple of questions (sorry if they sound stupid, I am very new to this 
)
-
My IngressGateway is configured in a custom namespace ‘X’, should I configure the EnvoyFilter also in that namespace? Or Default? Or Istio-System
-
I have a scenario where a client outside my cluster calls my API and passes the cert in the header (I am doing a TLS termination at the gateway and have configured global mtls and ISTIO_MUTUAL client side), and I need to pass that cert to my service within the cluster. Unfortunately with the above configurations, the XFCC header only has the cert details of the internal certs by citadel and not the client’s. Am I missing something basic here?
Thank you in advance!