Support for dynamic request header SSL_CERT

[srikiraju]

Description: https://github.com/envoyproxy/envoy/pull/1131 already includes a framework to support dynamic request headers in the HTTP connection manager. We should extend this capability to support SSL_CERT from the originating client.

This can be useful to pull CommonName and other fields to provide built in ACL like features in services against TLS certs

Relevant Links: nginx for example has the $ssl_client_cert var to do something like this

[htuch]

@srikiraju this seems reasonable; we did have SSL attributes in mind when considering this feature originally. Are you planning on working on this or should we leave this as "help wanted"?

[arianmotamedi]

@htuch Is there any update on this? Is this something that's on Envoy's roadmap? This can be an extremely useful feature :)

[ggreenway]

Is this issue covered by https://www.envoyproxy.io/docs/envoy/latest/configuration/http_conn_man/headers.html#x-forwarded-client-cert, or is this requesting something different?

[arianmotamedi]

My request was more around providing a way to do ACL based on client certificate information directly in Envoy. It does look like you can do public key pinning using the verify_certificate_spki config to grant/deny access, which is what I was looking for :)