Documentation/Guidance for passing client certificate to upstream service

[mlalam]

Hello,

I'm able to enable client certificate challenge by KONG_NGINX_PROXY_SSL_VERIFY_CLIENT to "optional" and verified the certificate passed to the request through kong access log using $ssl_client_s_dn. However, wondering how I can pass that client certificate to the upstream service. I dont see any documentation or guidance surrounding it.

Is there someone implemented this successfully shed some light into how I can pass the client certificate passed in the request to the backend upstream service?

[mlalam]

@pmalek, any suggestion/recommendations?

[mlalam]

Also, I tried adding TLS pass-through listener as per the documentation. it fails with error.

"Only Terminate mode is supported. Only one certificate per listener is supported."

FYi - I've manually deployed the latest v1.21 "experimental" gateway api CRD.

https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.2.1

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
creationTimestamp: "2024-12-03T19:20:45Z"
finalizers:

• gateway-operator.konghq.com/cleanup-controlplanes
• gateway-operator.konghq.com/cleanup-dataplanes
• gateway-operator.konghq.com/cleanup-network-policies
  generation: 36
  labels:
  argocd.argoproj.io/instance: kong-gateway-operator
  name: kong
  namespace: kong-system
  resourceVersion: "1268470229"
  uid: afbf6e93-8afd-4a8c-b800-2ed6f0786b8b
  spec:
  gatewayClassName: kong
  listeners:
• allowedRoutes:
  namespaces:
  from: Selector
  selector:
  matchLabels:
  shared-gateway-access: "true"
  name: http
  port: 80
  protocol: HTTP
• allowedRoutes:
  namespaces:
  from: Selector
  selector:
  matchLabels:
  shared-gateway-access: "true"
  hostname: example.mydomain.com
  name: https
  port: 443
  protocol: TLS
  tls:
  mode: Passthrough

---

Reported status for each listener.

listeners:

• attachedRoutes: 0
  conditions:
  • lastTransitionTime: "2025-01-05T23:44:06Z"
    message: ""
    observedGeneration: 36
    reason: NoConflicts
    status: "False"
    type: Conflicted
  • lastTransitionTime: "2025-01-05T23:44:06Z"
    message: ""
    observedGeneration: 36
    reason: Accepted
    status: "True"
    type: Accepted
  • lastTransitionTime: "2025-01-05T23:44:06Z"
    message: ""
    observedGeneration: 36
    reason: Pending
    status: "False"
    type: Programmed
  • lastTransitionTime: "2025-01-05T23:44:06Z"
    message: Listeners' references are accepted.
    observedGeneration: 36
    reason: ResolvedRefs
    status: "True"
    type: ResolvedRefs
    name: http
    supportedKinds:
  • group: gateway.networking.k8s.io
    kind: HTTPRoute
• attachedRoutes: 0
  conditions:
  • lastTransitionTime: "2025-01-05T23:44:06Z"
    message: ""
    observedGeneration: 36
    reason: NoConflicts
    status: "False"
    type: Conflicted
  • lastTransitionTime: "2025-01-05T23:44:06Z"
    message: ""
    observedGeneration: 36
    reason: UnsupportedProtocol
    status: "False"
    type: Accepted
  • lastTransitionTime: "2025-01-05T23:44:06Z"
    message: ""
    observedGeneration: 36
    reason: Pending
    status: "False"
    type: Programmed
  • lastTransitionTime: "2025-01-05T23:44:06Z"
    message: Only Terminate mode is supported. Only one certificate per listener
    is supported.
    observedGeneration: 36
    reason: TooManyTLSSecrets
    status: "False"
    type: ResolvedRefs
    name: https
    supportedKinds: []

---

❯ k get crd gateways.gateway.networking.k8s.io -o yaml | head -10

apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
api-approved.kubernetes.io: kubernetes-sigs/gateway-api#3328
gateway.networking.k8s.io/bundle-version: v1.2.1
gateway.networking.k8s.io/channel: experimental

---

Is latest version of KIC supports TLS pass-through?

[mlalam]

#6922