Mutual TLS to wildcard domains


I have a requirement to be able originate mutual TLS traffic to numerous domains that would be covered by the following wildcard patter “*.<my_company_domain>.com”.
I’ve been trying to achieve this by configuring an Egress Gateway with SNI proxy as described here.

The documentation explains how to originate mTLS using the workload certificates. This does not fit my case because upstream is expecting a specific CN in the certificate being sent. We deploy our custom certificate via cert-manager & CAS. How do I instruct the Egress Gateway to originate the traffic using the custom certificate and not the workload certificate?
There are two DestinationRule resources in the documentation. The first configures TLS between an app sidecar and the Egress Gateway. The second one disables TLS on the traffic routed to the sni-proxy container. It is not clear how to ensure that the final mTLS session (i.e. between sni-proxy and external upstream) is encrypted using our custom certificate.

Appreciate help on this.

1 Like

@shankgan could you please check this

cc : @Costin_Manolache