Envoy Client Certs for Ext Auth and Backend TLS

[arkodg]

Description:

Describe the issue.

Raising this PR to make a decision on which client certs to use when originating a TLS connection to ext Auth and Backend TLS (relates to kubernetes-sigs/gateway-api#2743)

Option 1
Reuse Listener (Downstream) certs

Option 2
Define a common proxy cert in the EnvoyProxy config

Option 3 (not possible today)
Define certs in each config

• within the SecurityPolicy.ExtAuth.TLS field
• not possible in BackendTLS, since its a upstream API

[arkodg]

ptal @envoyproxy/gateway-maintainers

[zhaohuabing]

EG doesn't use a global root ca like Istio does. So the problem of the first two approaches is that existing ext auth and jwt services may not be able to verify the client certs.

[arkodg]

EG doesn't use a global root ca like Istio does. So the problem of the first two approaches is that existing ext auth and jwt services may not be able to verify the client certs.

@zhaohuabing imo its a matter of sharing the CA (which is meant to be shared for validating trust anchor) with those entities (ext auth svc and backend)