docs: add note about x-raw-client-cert option for Envoy mTLS MIG

apigee · Sep 26, 2023 · 491ca53 · 491ca53
1 parent 7eac921
commit 491ca53
Showing 1 changed file with 15 additions and 0 deletions.
diff --git a/modules/apigee-x-mtls-mig/README.md b/modules/apigee-x-mtls-mig/README.md
@@ -1,5 +1,20 @@
 # Managed Instance Group with Client Authentication (mTLS)
 
+An managed instance group (MIG) that runs an Envoy proxy to terminate mTLS
+before the traffic is sent to Apigee via one-way TLS.
+
+Note that by default Envoy doesn't send the client certificate to the backend
+service. To enable this you could define an x-header in the [envoy config](./envoy-config-template.yaml).
+
+```yaml
+route_config:
+    name: local_route
+    request_headers_to_add:
+    - header:
+        key: "x-raw-client-cert"
+        value: "%DOWNSTREAM_PEER_CERT%"
+```
+
 <!-- BEGIN_TF_DOCS -->
 ## Providers