client cert is not sent to ext auth service.

[magictoken]

Describe the bug In emissary I am trying to do custom client cert validation in the ext_authz gRPC service. We noticed that the client certificate is not available to the service

To Reproduce

log request attributes in ext authz service:

b, err := json.MarshalIndent(req.Attributes, "", " ") if err == nil { log.Println("Request Attributes: ") log.Println((string(b))) }

Expected behavior

Certificate attribute should be logged:

"certificate": "-----BEGIN%20CERTIFICATE-----.....-----END%20CERTIFICATE-----%0A"

Versions (please complete the following information):

• Ambassador: 2.0.4
• Kubernetes environment: bare metal
• Version 1.19.15

Additional context

to fix:

diff --git a/python/ambassador/envoy/v3/v3httpfilter.py b/python/ambassador/envoy/v3/v3httpfilter.py
index 59fdde90d..7d0bb84a9 100644
--- a/python/ambassador/envoy/v3/v3httpfilter.py
+++ b/python/ambassador/envoy/v3/v3httpfilter.py
@@ -348,6 +348,7 @@ def V3HTTPFilter_authv1(auth: IRAuth, v3config: 'V3Config'):
                     },
                     'timeout': "%0.3fs" % (float(auth.timeout_ms) / 1000.0)
                 },
+                'include_peer_certificate': True,
                 'transport_api_version': protocol_version.replace("alpha", "").upper(),
             }
         }

[cindymullins-dw]

Thanks for raising this to our attention. I'll leave this open as a feature request. Since you've already found a solution, it would be awesome if you'd open a PR for this as well. You can join our #emissary-dev channel in our Slack at a8r.io/slack if you want to discuss further.