ForwardClientCertDetails doesn't forward external client certificate

[denisky]

Bug description

We have a use case where we want to validate a client certificate from an external client in an internal service.

We observed that a certificate is being added to the x-forwarded-client-cert header, but it is the certificate from the ingress gateway. Also the cert key is not present in the header.

Mesh Configuration

Configuring X-Forwarded-Client-Cert Headers

meshConfig:
    rootNamespace: custom-istio-namespace
    enableTracing: false
    accessLogFile: /dev/stdout
    enableAutoMtls: true
    defaultConfig:
      gatewayTopology:
        numTrustedProxies: 2
        forwardClientCertDetails: APPEND_FORWARD

Note: It was tested using APPEND_FORWARD and ALWAYS_FORWARD_ONLY

EnvoyFilter - set_current_client_cert_details

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: xffc-details
  namespace: custom-ingress-namespace
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
        typed_config:
          "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
          set_current_client_cert_details: 
            subject: true
            cert: true
            chain: true
            dns: true
            uri: true

Affected product area

[ ] Docs
[ ] Installation
[X] Networking
[ ] Performance and Scalability
[ ] Extensions and Telemetry
[X ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure
[ ] Upgrade

Expected behavior

Client certificate information should be present in x-forwarded-client-cert header.

Version

istioctl version --remote

client version: 1.10.1
control plane version: 1.10.1
data plane version: 1.10.1 (1 proxies)

kubectl version --short

Client Version: v1.21.1
Server Version: v1.20.6+k3s1

helm version --short

v3.6.0+g7f2df64

Environment

OS: Ubuntu 20.04.2 LTS on Windows WSL2
Kubernetes: k3s

[yangminzhu]

Also the cert key is not present in the header.

Do you intend to forward the certificate key in the header? I don't think the ingress gateway would (or should) have access to the client certificate key.

[denisky]

Sorry for the confusion, what I meant is the client cert encoded in the header.

extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.SetCurrentClientCertDetails

cert
(bool) Whether to forward the entire client cert in URL encoded PEM format. This will appear in the XFCC header comma separated from other values with the value Cert=”PEM”. Defaults to false.

Right now we are recieving different key/values from the certificate of the ingress gateway, and the encoded cert is not present.

[waelmashal]

@denisky this works with me before but now with istio 1.20.1 stop working ,how u solve the issue ?

[denisky]

Hi,
the client certificate authentication was dropped.
We decided to implement open id client authentication using private_key_jwt instead.
It is less headache to authenticate with an access token.