I need some help creating an envoy-filter.
What I would like to achieve is, that envoy-proxy accepts untrusted certs (actually only at the ingress with mTLS coming from outside the mesh).
If I understand the envoy documentation correctly this can be achieved by setting TlsContextMatchOptions validated = false.
I am struggling to achieve this with istio’s envoy-filter mechanism.
Is there someone who could provide detailed information about how to do this. I don’t find any could how-to/tutorial and it seems that more people are struggling with it.
I’d be happy to write a tutorial on how to use envoy-filters properly as soon as I understand it in-depth.
These tutorials could be placed on the istio website.
This is what I got, but I suggest that this is horribly wrong:
apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: allow-untrusted-certs namespace: istio-system spec: configpatches: - applyTo: Cluster patch: operation: MERGE value: name: "envoy.route.RouteMatch.TlsContextMatchOptions" typed_config: "@type": "type.googleapis.com/envoy.api.v2.route.RouteMatch.TlsContextMatchOptions" validated: false