Multiple client certificates per upstream in mTLS.

[Pig Natovsky]

Hi,

my question is more general than just about Envoy. I'm wondering why every proxy got only one pair of client certificate/key per upstream in terms of mTLS.

When - for example - Envoy is used as an egress proxy (not only in ISTIO or other service mesh), sometimes we want to originate mTLS to external services, but we don't want to give application certs with signed by external CA. It's like two layesrs of mTLS - one internal to our stack with our own CA and external, with other CA.

So my question is - why in every proxy I've ever seen it's possible to define only one pair cert/key per upstream host:port? Is this somehow related with optimization of TLS connection? I can imagine situation in which I have multiple TLS clients per host:port and taking decision about which one to use based on some L7 informations (for example identity in headers) or based on identity from internal CA.

I don't know which performance factors are important in this scenario. Could someone exaplain me this topic? If my thinking is wrong, tell me please why or share some docs/whitepapers.