Istio supports setting Envoy’s forward_client_cert_details option for Gateways as per Istio / Configuring Gateway Network Topology.
I want to set is to SANITIZE for sidecars for intra-cluster traffic.
I have tried using the following EnvoyFilter, which I would expect to over-ride Istio’s envoy configuration, but It does not seem to be being applied as expected:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: forward-client-cert
namespace: istio-system
spec:
configPatches:
- applyTo: NETWORK_FILTER
match:
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
patch:
operation: MERGE
value:
typed_config:
"@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager"
forward_client_cert_details: SANITIZE
max_request_headers_kb: 89
(Note: Running a config dump on Envoy within the sidecar, I can see that the max_request_headers_kb is being set to 89 as expected, but the forward_client_cert_details are having no effect, and is not changed from APPEND_FORWARD.)
Is there any way to do what I am trying to do?