I have a requirement where I have to send the client certificate to my internal service. I tried adding an envoyfilter with forward_client_cert_details: FORWARD_ONLY but this forwards the client certificate only if the TLS mode is mutual. I do not want to enable tlsMode MUTUAL over the entire gateway, I just need the client certificate to be passed on to my internal service. Is there any way to do this?
AFAIK, if using the TLS protocol, the client cert is only passed when the mode is mutual TLS. But you may add the client cert to a payload of your own design; as long as the recipient understands the payload format, the recipent will be able to parse it.