As a part of evulating consul as a service mesh, I’m trying to figure out how to forward the mTLS identity to the workload (for authorization purposes within the workload). Support for this was as far as I know added to envoy in version 1.11, but I can’t figure out how to configure this in consul. Relevant settings are set_current_client_cert_details
and forward_client_cert_details
.
https://www.envoyproxy.io/docs/envoy/v1.11.0/api-v2/config/filter/network/http_connection_manager/v2/http_connection_manager.proto#envoy-api-enum-config-filter-network-http-connection-manager-v2-httpconnectionmanager-forwardclientcertdetails
https://www.envoyproxy.io/docs/envoy/v1.11.0/api-v2/config/filter/network/http_connection_manager/v2/http_connection_manager.proto#envoy-api-field-config-filter-network-http-connection-manager-v2-httpconnectionmanager-forward-client-cert-details