Yes, this is how we modeled it:
- Request from client comes in to Ingress Gateway
- Ingress Gateway checks certificate fingerprint against a whitelist
2.1) If fingerprint exists in whitelist (populated by a secret), request enters the cluster
2.2) If fingerprint doesn’t exist, request is rejected
My investigation has led me to either an EnvoyFilter (native to Istio/Envoy) or using Gloo with a function level route that will check this, however, I’d like to keep Istio’s Ingress Gateway if possible.