Here is how my configuration looks like (referenced from github’s common examples for XFCC) :
apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: xfcc-forward namespace: istio-system spec: configPatches: - applyTo: NETWORK_FILTER match: context: GATEWAY listener: filterChain: filter: name: "envoy.http_connection_manager" patch: operation: MERGE value: typed_config: "@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager" forward_client_cert_details: ALWAYS_FORWARD_ONLY set_current_client_cert_details: subject: true cert: true chain: true
Couple of questions (sorry if they sound stupid, I am very new to this )
My IngressGateway is configured in a custom namespace ‘X’, should I configure the EnvoyFilter also in that namespace? Or Default? Or Istio-System
I have a scenario where a client outside my cluster calls my API and passes the cert in the header (I am doing a TLS termination at the gateway and have configured global mtls and ISTIO_MUTUAL client side), and I need to pass that cert to my service within the cluster. Unfortunately with the above configurations, the XFCC header only has the cert details of the internal certs by citadel and not the client’s. Am I missing something basic here?
Thank you in advance!