Hello,
I need some help creating an envoy-filter.
What I would like to achieve is, that envoy-proxy accepts untrusted certs (actually only at the ingress with mTLS coming from outside the mesh).
If I understand the envoy documentation correctly this can be achieved by setting TlsContextMatchOptions validated = false.
I am struggling to achieve this with istio’s envoy-filter mechanism.
Is there someone who could provide detailed information about how to do this. I don’t find any could how-to/tutorial and it seems that more people are struggling with it.
I’d be happy to write a tutorial on how to use envoy-filters properly as soon as I understand it in-depth.
These tutorials could be placed on the istio website.
This is what I got, but I suggest that this is horribly wrong:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: allow-untrusted-certs
namespace: istio-system
spec:
configpatches:
- applyTo: Cluster
patch:
operation: MERGE
value:
name: "envoy.route.RouteMatch.TlsContextMatchOptions"
typed_config:
"@type": "type.googleapis.com/envoy.api.v2.route.RouteMatch.TlsContextMatchOptions"
validated: false