Forward client certificate in header

Is there any support for forwarding the TLS client certificate used in a connection to the backing HTTP service as a header? I would like to be able to bind OAuth2 access tokens to Linkerd client certificates as per https://tools.ietf.org/html/draft-ietf-oauth-mtls-17 . My OAuth2 Authorization Server supports receiving the client certificate in a header when TLS is terminated at a reverse proxy, but I can’t see a configuration setting for this in Linkerd.

PS - if not and you’d like to support it, I’m happy to create a PR, although my Rust is a little… rusty.

@neilmadden

Thanks for the offer to create a PR!

Let’s start by opening an issue on GitHub to start the conversation around this feature: https://github.com/linkerd/linkerd2/issues

We’ll want to discuss whether forwarding TLS client certificates is a responsibility of the service mesh and GitHub is the right place to have that discussion. :slight_smile:

Charles