I am trying to get my client certificate common name in headers of my service, but unfortunately I am getting empty string for subject.
X-Forwarded-Client-Cert: By=spiffe://cluster.local/ns/default/sa/default;Hash=afb15b2fa11e07b572fb8cc549a07a71b169bdd818199ab1c2ad90f6f05fb2aa;Subject="";URI=spiffe://cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account
Could you let me know do I need to use any EnvoyFilter or it is default behaviour? I tried with Istio 1.3 version.
Empty subject means envoy is able to forward the information, but it is not able to fetch client certificate details?
1 Like
hi - I’m seeing the same behaviour. Ay suggestions from the community would be much appreciated.
How did you configure your secure ingress gateway? That must be configured with CA certificates in order to get certificate common name
Please check the solution that I provided
serverCertificate, privateKey, caCertificates are mandatory to provide
Hi - what I’m looking for is really even more basic, by default subject Isn’t isn’t passed by envoy As part of the xfcc header, how do I configure the envoy proxy to turn this on? I don’t have an empty subject I don’t have a subject property at all. Thanks in advance
The x-forwarded-client-cert was fixed in https://github.com/istio/istio/issues/8263. The subject should be forwarded by configuring SetCurrentClientCertDetails. EnvoyFilter could support configuring this https://istio.io/docs/reference/config/networking/envoy-filter/, could you check if subject is set to true? It is false by default @lambdai do you know if there are any docs about how to configure that?