Skip to content

[X.509] Happy Path — Tier 2 (EnvoyFilter) #894

New issue
New issue
Open
Open
[X.509] Happy Path — Tier 2 (EnvoyFilter)#894
Assignees
averevki
Labels
Test caseNew test caseenhancementImprovement to existing test
@averevki

Description

@averevki
averevki
opened on Mar 17, 2026

Summary

Test X.509 client certificate authentication via AuthPolicy using an Istio EnvoyFilter to configure TLS client certificate validation on the gateway listener.

No EnvoyFilter class exists in the testsuite currently. A new KubernetesObject subclass is needed.

Setup

  • Gateway without frontendValidation
  • Istio EnvoyFilter configuring TLS client certificate validation on the gateway listener
  • CA certificate Secret(s) with labels for Authorino validation
  • AuthPolicy with x509.source.header: "X-Forwarded-Client-Cert"
  • HTTPRoute bound to AuthPolicy

Tests

  • Client with valid certificate → 200 OK
  • Client without certificate → 401 Unauthorized (rejected at TLS layer)
  • Client with certificate signed by wrong CA → 401 Unauthorized (rejected at gateway or Authorino)

References

Metadata

Metadata

Assignees

Labels

Test caseNew test caseenhancementImprovement to existing test

Type

No type

Projects

Kuadrant QE

Status

🆕 New
Kuadrant

Status

No status

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions