Ingress gateway how to remove Cert from XFCC

Hi There,

I try to configure amount of details that can be pushed thru XFCC. Currently it’s in form of:
Hash=957be02cd031c04355c94706d071f80c52f45fcc754342b9bbd210f463e1c6b9;Cert="-----BEGIN%20CERTIFICATE-----…-----END%20CERTIFICATE-----%0A";Subject=“CN=test,OU=test,O=test,L=test,ST=CA,C=US”;URI=

I want to remove Cert field from the header but I couldn’t do it yet. I tried to use envoyFilter:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: xffc-details
  namespace: {{ .Release.Namespace }} 
spec:
  workloadSelector:
    labels:
{{ .Values.iicsgateway.labels | toYaml | indent 6 }}
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        filterChain:
          filter:
            name: "envoy.http_connection_manager"
    patch:
      operation: MERGE
      value:
        typed_config:
          "@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager"
          set_current_client_cert_details: 
            subject: true
            cert: false
            chain: false
            dns: false
            uri: true

I double checked that workload is correct but I couldn’t figure out why it doesn’t work.
Here is the proxy config:

istioctl proxy-config listener iicsgateway-75d578fcbf-vg6h9.masked -o json
[
    {
        "name": "0.0.0.0_10002",
        "address": {
            "socketAddress": {
                "address": "0.0.0.0",
                "portValue": 10002
            }
        },
        "filterChains": [
            {
                "tlsContext": {
                    "commonTlsContext": {
                        "tlsCertificates": [
                            {
                                "certificateChain": {
                                    "filename": "/etc/istio/ingressgateway-certs/tls.crt"
                                },
                                "privateKey": {
                                    "filename": "/etc/istio/ingressgateway-certs/tls.key"
                                }
                            }
                        ],
                        "validationContext": {
                            "trustedCa": {
                                "filename": "/etc/istio/ingressgateway-ca-certs/ca-chain.cert.pem"
                            }
                        },
                        "alpnProtocols": [
                            "h2",
                            "http/1.1"
                        ]
                    },
                    "requireClientCertificate": true
                },
                "filters": [
                    {
                        "name": "envoy.http_connection_manager",
                        "typedConfig": {
                            "@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager",
                            "statPrefix": "outbound_0.0.0.0_10002",
                            "rds": {
                                "configSource": {
                                    "ads": {}
                                },
                                "routeConfigName": "https.10002.https.iics-masked.masked"
                            },
                            "httpFilters": [
                                {
                                    "name": "mixer",
                                    "typedConfig": {
                                        "@type": "type.googleapis.com/istio.mixer.v1.config.client.HttpClientConfig",
                                        "transport": {
                                            "networkFailPolicy": {
                                                "policy": "FAIL_CLOSE",
                                                "baseRetryWait": "0.080s",
                                                "maxRetryWait": "1s"
                                            },
                                            "checkCluster": "outbound|15004||istio-policy.istio-system.svc.cluster.local",
                                            "reportCluster": "outbound|15004||istio-telemetry.istio-system.svc.cluster.local",
                                            "reportBatchMaxEntries": 100,
                                            "reportBatchMaxTime": "1s"
                                        },
                                        "serviceConfigs": {
                                            "default": {
                                                "disableCheckCalls": true
                                            }
                                        },
                                        "defaultDestinationService": "default",
                                        "mixerAttributes": {
                                            "attributes": {
                                                "context.proxy_version": {
                                                    "stringValue": "1.4.5"
                                                },
                                                "context.reporter.kind": {
                                                    "stringValue": "outbound"
                                                },
                                                "context.reporter.uid": {
                                                    "stringValue": "kubernetes://iicsgateway-75d578fcbf-vg6h9.masked"
                                                },
                                                "source.namespace": {
                                                    "stringValue": "masked"
                                                },
                                                "source.uid": {
                                                    "stringValue": "kubernetes://iicsgateway-75d578fcbf-vg6h9.masked"
                                                }
                                            }
                                        },
                                        "forwardAttributes": {
                                            "attributes": {
                                                "source.uid": {
                                                    "stringValue": "kubernetes://iicsgateway-75d578fcbf-vg6h9.masked"
                                                }
                                            }
                                        },
                                        "ignoreForwardedAttributes": true
                                    }
                                },
                                {
                                    "name": "envoy.cors"
                                },
                                {
                                    "name": "envoy.fault"
                                },
                                {
                                    "name": "envoy.lua",
                                    "config": {
                                        "inlineCode": "..masked.."
                                    }
                                },
                                {
                                    "name": "envoy.router"
                                }
                            ],
                            "tracing": {
                                "operationName": "EGRESS",
                                "clientSampling": {
                                    "value": 100
                                },
                                "randomSampling": {
                                    "value": 1
                                },
                                "overallSampling": {
                                    "value": 100
                                }
                            },
                            "httpProtocolOptions": {},
                            "serverName": "istio-envoy",
                            "streamIdleTimeout": "0s",
                            "accessLog": [
                                {
                                    "name": "envoy.file_access_log",
                                    "typedConfig": {
                                        "@type": "type.googleapis.com/envoy.config.accesslog.v2.FileAccessLog",
                                        "path": "/dev/stdout",
                                        "format": "[%START_TIME%] \"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\" %RESPONSE_CODE% %RESPONSE_FLAGS% \"%DYNAMIC_METADATA(istio.mixer:status)%\" \"%UPSTREAM_TRANSPORT_FAILURE_REASON%\" %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% \"%REQ(X-FORWARDED-FOR)%\" \"%REQ(USER-AGENT)%\" \"%REQ(X-REQUEST-ID)%\" \"%REQ(:AUTHORITY)%\" \"%UPSTREAM_HOST%\" %UPSTREAM_CLUSTER% %UPSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_REMOTE_ADDRESS% %REQUESTED_SERVER_NAME% %ROUTE_NAME%\n"
                                    }
                                }
                            ],
                            "useRemoteAddress": true,
                            "generateRequestId": true,
                            "forwardClientCertDetails": "SANITIZE_SET",
                            "setCurrentClientCertDetails": {
                                "subject": true,
                                "cert": true,
                                "dns": true,
                                "uri": true
                            },
                            "upgradeConfigs": [
                                {
                                    "upgradeType": "websocket"
                                }
                            ],
                            "normalizePath": true
                        }
                    }
                ]
            }
        ],
        "listenerFilters": [
            {
                "name": "envoy.listener.tls_inspector"
            }
        ],
        "trafficDirection": "OUTBOUND"
    },
    {
        "address": {
            "socketAddress": {
                "address": "0.0.0.0",
                "portValue": 15090
            }
        },
        "filterChains": [
            {
                "filters": [
                    {
                        "name": "envoy.http_connection_manager",
                        "config": {
                            "codec_type": "AUTO",
                            "http_filters": {
                                "name": "envoy.router"
                            },
                            "route_config": {
                                "virtual_hosts": [
                                    {
                                        "domains": [
                                            "*"
                                        ],
                                        "name": "backend",
                                        "routes": [
                                            {
                                                "match": {
                                                    "prefix": "/stats/prometheus"
                                                },
                                                "route": {
                                                    "cluster": "prometheus_stats"
                                                }
                                            }
                                        ]
                                    }
                                ]
                            },
                            "stat_prefix": "stats"
                        }
                    }
                ]
            }
        ]
    }
]

I see that gateway sets the Cert value to true by default: https://github.com/istio/istio/blob/17976bc32159e96d6ba5793a33e512e7539f9237/pilot/pkg/networking/core/v1alpha3/gateway.go#L379
Could it be a boolean value merge problem?

Any other ideas how to remove it?

I found that there was the same issue with use_remote_address flag, somebody couldn’t be set to false: https://github.com/istio/istio/issues/12549

I think, it is something to do with boolean flag merge.