You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We have a use case where we want to validate a client certificate from an external client in an internal service.
We observed that a certificate is being added to the x-forwarded-client-cert header, but it is the certificate from the ingress gateway. Also the cert key is not present in the header.
Do you intend to forward the certificate key in the header? I don't think the ingress gateway would (or should) have access to the client certificate key.
cert
(bool) Whether to forward the entire client cert in URL encoded PEM format. This will appear in the XFCC header comma separated from other values with the value Cert=”PEM”. Defaults to false.
Right now we are recieving different key/values from the certificate of the ingress gateway, and the encoded cert is not present.
Hi,
the client certificate authentication was dropped.
We decided to implement open id client authentication using private_key_jwt instead.
It is less headache to authenticate with an access token.
Bug description
We have a use case where we want to validate a client certificate from an external client in an internal service.
We observed that a certificate is being added to the x-forwarded-client-cert header, but it is the certificate from the ingress gateway. Also the cert key is not present in the header.
Mesh Configuration
Configuring X-Forwarded-Client-Cert Headers
Note: It was tested using APPEND_FORWARD and ALWAYS_FORWARD_ONLY
EnvoyFilter - set_current_client_cert_details
Affected product area
[ ] Docs
[ ] Installation
[X] Networking
[ ] Performance and Scalability
[ ] Extensions and Telemetry
[X ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure
[ ] Upgrade
Expected behavior
Client certificate information should be present in x-forwarded-client-cert header.
Version
istioctl version --remote
kubectl version --short
helm version --short
Environment
OS: Ubuntu 20.04.2 LTS on Windows WSL2
Kubernetes: k3s
The text was updated successfully, but these errors were encountered: