Support Upstream TLS to multiple Backends

[arkodg]

Description:

Describe the desired behavior, what scenario it enables and how it
would be used.

Today we only build 1 TLS Socket based on the first Destination Setting associated with the first BackendRef

gateway/internal/xds/translator/translator.go

Line 518 in 9b48ff9

temp, err := buildXdsUpstreamTLSSocketWthCert(httpRoute.Destination.Settings[0].TLS)

This needs to be enhanced to support a unique TLS socket per backendref

Should be possible using the tls_socket_matches field https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto

[Xunzhuo]

Does this mean the target ref on BackendTLSPolicy can be refered to multi services ?

[arkodg]

this means we cannot support routing / traffic splitting to multiple backends with each backend having a different TLS policy today

[Xunzhuo]

Get it, thanks for clarifying @arkodg