From 491ca53253e5d42da62a25be4f76d48b68f684c2 Mon Sep 17 00:00:00 2001
From: Daniel Strebel <strebel@google.com>
Date: Tue, 26 Sep 2023 08:11:15 +0200
Subject: [PATCH] docs: add note about x-raw-client-cert option for Envoy mTLS
 MIG

---
 modules/apigee-x-mtls-mig/README.md | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/modules/apigee-x-mtls-mig/README.md b/modules/apigee-x-mtls-mig/README.md
index 63321bc..e26b6b7 100644
--- a/modules/apigee-x-mtls-mig/README.md
+++ b/modules/apigee-x-mtls-mig/README.md
@@ -1,5 +1,20 @@
 # Managed Instance Group with Client Authentication (mTLS)
 
+An managed instance group (MIG) that runs an Envoy proxy to terminate mTLS
+before the traffic is sent to Apigee via one-way TLS.
+
+Note that by default Envoy doesn't send the client certificate to the backend
+service. To enable this you could define an x-header in the [envoy config](./envoy-config-template.yaml).
+
+```yaml
+route_config:
+    name: local_route
+    request_headers_to_add:
+    - header:
+        key: "x-raw-client-cert"
+        value: "%DOWNSTREAM_PEER_CERT%"
+```
+
 <!-- BEGIN_TF_DOCS -->
 ## Providers