We have two ingress scenarios:
- JWT over simple TLS (terminating in ingress)
- MUTUAL TLS (also terminating in ingress)
The first works perfectly. We can apply both an authentication policy and an authorization policy.
But in the latter scenario I can only find a way to authenticate (via SDS and the CA-certificate).
A single CA-certificate can of course authenticate more than one client certificate so how to do we apply an authorization policy that gives e.g. a single client certificate access to this and another client certificate access to that (when they have the same CA-certificate and the MUTUAL TLS has been terminated in the ingress gateway).
Optimally I would like the certificate info from the client certificate to be available in e.g. requestPrincipals as it is after JWT authentication. But that appears not to be the case!?
Hope for some insight