Configuring EnvoyFilter for Forwarding Client Certs In Istio

Here is how my configuration looks like (referenced from github’s common examples for XFCC) :

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: xfcc-forward
  namespace: istio-system
spec:
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        filterChain:
          filter:
            name: "envoy.http_connection_manager"
    patch:
      operation: MERGE
      value:
        typed_config:
          "@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager"
          forward_client_cert_details: ALWAYS_FORWARD_ONLY
          set_current_client_cert_details:
            subject: true
            cert: true
            chain: true

Couple of questions (sorry if they sound stupid, I am very new to this :slight_smile: )

  1. My IngressGateway is configured in a custom namespace ‘X’, should I configure the EnvoyFilter also in that namespace? Or Default? Or Istio-System

  2. I have a scenario where a client outside my cluster calls my API and passes the cert in the header (I am doing a TLS termination at the gateway and have configured global mtls and ISTIO_MUTUAL client side), and I need to pass that cert to my service within the cluster. Unfortunately with the above configurations, the XFCC header only has the cert details of the internal certs by citadel and not the client’s. Am I missing something basic here?

Thank you in advance!