nginx
diff --git a/‎internal/configs/virtualserver.go‎
Lines changed: 5 additions & 0 deletions b/‎internal/configs/virtualserver.go‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎internal/configs/virtualserver_test.go‎
Lines changed: 52 additions & 11 deletions b/‎internal/configs/virtualserver_test.go‎
Lines changed: 52 additions & 11 deletions
diff --git a/‎tests/data/common/app/secure-ca/app.yaml‎
Lines changed: 80 additions & 0 deletions b/‎tests/data/common/app/secure-ca/app.yaml‎
Lines changed: 80 additions & 0 deletions
diff --git a/‎tests/data/egress-mtls/policies/egress-mtls-invalid.yaml‎
Lines changed: 12 additions & 0 deletions b/‎tests/data/egress-mtls/policies/egress-mtls-invalid.yaml‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎tests/data/egress-mtls/policies/egress-mtls.yaml‎
Lines changed: 12 additions & 0 deletions b/‎tests/data/egress-mtls/policies/egress-mtls.yaml‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎tests/data/egress-mtls/route-subroute/virtual-server-mtls.yaml‎
Lines changed: 18 additions & 0 deletions b/‎tests/data/egress-mtls/route-subroute/virtual-server-mtls.yaml‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎tests/data/egress-mtls/route-subroute/virtual-server-route-mtls.yaml‎
Lines changed: 18 additions & 0 deletions b/‎tests/data/egress-mtls/route-subroute/virtual-server-route-mtls.yaml‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎tests/data/egress-mtls/route-subroute/virtual-server-vsr.yaml‎
Lines changed: 9 additions & 0 deletions b/‎tests/data/egress-mtls/route-subroute/virtual-server-vsr.yaml‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎tests/data/egress-mtls/secret/egress-mtls-secret-crl.yaml‎
Lines changed: 8 additions & 0 deletions b/‎tests/data/egress-mtls/secret/egress-mtls-secret-crl.yaml‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎tests/data/egress-mtls/secret/egress-mtls-secret.yaml‎
Lines changed: 7 additions & 0 deletions b/‎tests/data/egress-mtls/secret/egress-mtls-secret.yaml‎
Lines changed: 7 additions & 0 deletions
@@ -1008,6 +1008,11 @@ func (p *policiesCfg) addEgressMTLSConfig(
 		trustedSecretPath = secretRef.Path
 	}
 
+	if len(trustedSecretPath) != 0 {
+		caFields := strings.Fields(trustedSecretPath)
+		trustedSecretPath = caFields[0]
+	}
+
 	p.EgressMTLS = &version2.EgressMTLS{
 		Certificate:    tlsSecretPath,
 		CertificateKey: tlsSecretPath,
 
@@ -2917,17 +2917,17 @@ func TestGeneratePolicies(t *testing.T) {
 		vsNamespace:    "default",
 		vsName:         "test",
 	}
-	ingressMTLSCertPath := "/etc/nginx/secrets/default-ingress-mtls-secret-ca.crt"
-	ingressMTLSCrlPath := "/etc/nginx/secrets/default-ingress-mtls-secret-ca.crl"
-	ingressMTLSCertAndCrlPath := fmt.Sprintf("%s %s", ingressMTLSCertPath, ingressMTLSCrlPath)
+	mTLSCertPath := "/etc/nginx/secrets/default-ingress-mtls-secret-ca.crt"
+	mTLSCrlPath := "/etc/nginx/secrets/default-ingress-mtls-secret-ca.crl"
+	mTLSCertAndCrlPath := fmt.Sprintf("%s %s", mTLSCertPath, mTLSCrlPath)
 	policyOpts := policyOptions{
 		tls: true,
 		secretRefs: map[string]*secrets.SecretReference{
 			"default/ingress-mtls-secret": {
 				Secret: &api_v1.Secret{
 					Type: secrets.SecretTypeCA,
 				},
-				Path: ingressMTLSCertPath,
+				Path: mTLSCertPath,
 			},
 			"default/ingress-mtls-secret-crl": {
 				Secret: &api_v1.Secret{
@@ -2936,7 +2936,7 @@ func TestGeneratePolicies(t *testing.T) {
 						"ca.crl": []byte("base64crl"),
 					},
 				},
-				Path: ingressMTLSCertAndCrlPath,
+				Path: mTLSCertAndCrlPath,
 			},
 			"default/egress-mtls-secret": {
 				Secret: &api_v1.Secret{
@@ -2950,6 +2950,12 @@ func TestGeneratePolicies(t *testing.T) {
 				},
 				Path: "/etc/nginx/secrets/default-egress-trusted-ca-secret",
 			},
+			"default/egress-trusted-ca-secret-crl": {
+				Secret: &api_v1.Secret{
+					Type: secrets.SecretTypeCA,
+				},
+				Path: mTLSCertAndCrlPath,
+			},
 			"default/jwt-secret": {
 				Secret: &api_v1.Secret{
 					Type: secrets.SecretTypeJWK,
@@ -2984,7 +2990,6 @@ func TestGeneratePolicies(t *testing.T) {
 	tests := []struct {
 		policyRefs []conf_v1.PolicyReference
 		policies   map[string]*conf_v1.Policy
-		policyOpts policyOptions
 		context    string
 		expected   policiesCfg
 		msg        string
@@ -3315,7 +3320,7 @@ func TestGeneratePolicies(t *testing.T) {
 			context: "spec",
 			expected: policiesCfg{
 				IngressMTLS: &version2.IngressMTLS{
-					ClientCert:   ingressMTLSCertPath,
+					ClientCert:   mTLSCertPath,
 					VerifyClient: "off",
 					VerifyDepth:  1,
 				},
@@ -3346,8 +3351,8 @@ func TestGeneratePolicies(t *testing.T) {
 			context: "spec",
 			expected: policiesCfg{
 				IngressMTLS: &version2.IngressMTLS{
-					ClientCert:   ingressMTLSCertPath,
-					ClientCrl:    ingressMTLSCrlPath,
+					ClientCert:   mTLSCertPath,
+					ClientCrl:    mTLSCrlPath,
 					VerifyClient: "off",
 					VerifyDepth:  1,
 				},
@@ -3379,8 +3384,8 @@ func TestGeneratePolicies(t *testing.T) {
 			context: "spec",
 			expected: policiesCfg{
 				IngressMTLS: &version2.IngressMTLS{
-					ClientCert:   ingressMTLSCertPath,
-					ClientCrl:    ingressMTLSCrlPath,
+					ClientCert:   mTLSCertPath,
+					ClientCrl:    mTLSCrlPath,
 					VerifyClient: "off",
 					VerifyDepth:  1,
 				},
@@ -3423,6 +3428,42 @@ func TestGeneratePolicies(t *testing.T) {
 			},
 			msg: "egressMTLS reference",
 		},
+		{
+			policyRefs: []conf_v1.PolicyReference{
+				{
+					Name:      "egress-mtls-policy",
+					Namespace: "default",
+				},
+			},
+			policies: map[string]*conf_v1.Policy{
+				"default/egress-mtls-policy": {
+					Spec: conf_v1.PolicySpec{
+						EgressMTLS: &conf_v1.EgressMTLS{
+							TLSSecret:         "egress-mtls-secret",
+							ServerName:        true,
+							SessionReuse:      createPointerFromBool(false),
+							TrustedCertSecret: "egress-trusted-ca-secret-crl",
+						},
+					},
+				},
+			},
+			context: "route",
+			expected: policiesCfg{
+				EgressMTLS: &version2.EgressMTLS{
+					Certificate:    "/etc/nginx/secrets/default-egress-mtls-secret",
+					CertificateKey: "/etc/nginx/secrets/default-egress-mtls-secret",
+					Ciphers:        "DEFAULT",
+					Protocols:      "TLSv1 TLSv1.1 TLSv1.2",
+					ServerName:     true,
+					SessionReuse:   false,
+					VerifyDepth:    1,
+					VerifyServer:   false,
+					TrustedCert:    mTLSCertPath,
+					SSLName:        "$proxy_host",
+				},
+			},
+			msg: "egressMTLS with crt and crl",
+		},
 		{
 			policyRefs: []conf_v1.PolicyReference{
 				{
 
@@ -0,0 +1,80 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: secure-app
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: secure-app
+  template:
+    metadata:
+      labels:
+        app: secure-app
+    spec:
+      containers:
+        - name: secure-app
+          image: nginxdemos/nginx-hello:plain-text
+          ports:
+            - containerPort: 8443
+          volumeMounts:
+            - name: secret
+              mountPath: /etc/nginx/ssl
+              readOnly: true
+            - name: config-volume
+              mountPath: /etc/nginx/conf.d
+      volumes:
+        - name: secret
+          secret:
+            secretName: app-tls-secret
+        - name: config-volume
+          configMap:
+            name: secure-config
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: secure-app
+spec:
+  ports:
+    - port: 8443
+      targetPort: 8443
+      protocol: TCP
+      name: https
+  selector:
+    app: secure-app
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: secure-config
+data:
+  app.conf: |-
+    server {
+      listen 8443 ssl;
+      listen [::]:8443 ssl;
+
+      server_name secure-app.example.com;
+
+      ssl_certificate /etc/nginx/ssl/tls.crt;
+      ssl_certificate_key /etc/nginx/ssl/tls.key;
+
+      ssl_verify_client on;
+      ssl_client_certificate /etc/nginx/ssl/ca.crt;
+
+      default_type text/plain;
+
+      location /backend1 {
+        return 200 "hello from pod $hostname\n";
+      }
+    }
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: app-tls-secret
+type: Opaque
+data:
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURVekNDQWpzQ0NRRE5Tc2YvSXpBaEhqQU5CZ2txaGtpRzl3MEJBUXNGQURCbU1Rc3dDUVlEVlFRR0V3SlYKVXpFTE1Ba0dBMVVFQ0F3Q1EwRXhGakFVQmdOVkJBY01EVk5oYmlCR2NtRnVjMmx6WTI4eERqQU1CZ05WQkFvTQpCVTVIU1U1WU1Rd3dDZ1lEVlFRTERBTkxTVU14RkRBU0JnTlZCQU1NQzJWNFlXMXdiR1V1WTI5dE1CNFhEVEl3Ck1URXhNakl4TXpNd05sb1hEVE13TVRFeE1ESXhNek13Tmxvd2NURUxNQWtHQTFVRUJoTUNWVk14Q3pBSkJnTlYKQkFnTUFrTkJNUll3RkFZRFZRUUhEQTFUWVc0Z1JuSmhibk5wYzJOdk1RNHdEQVlEVlFRS0RBVk9SMGxPV0RFTQpNQW9HQTFVRUN3d0RTMGxETVI4d0hRWURWUVFEREJaelpXTjFjbVV0WVhCd0xtVjRZVzF3YkdVdVkyOXRNSUlCCklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF6ekE0aUhqL0xpWWhlR1JVS0Vha2NTa2MKRHpsWE1kMDUwZStBb3VodXFoOHJEandOaUl0RGU5c05keXNSTW0yWEVZUUxtdkJyNFlTN2dhNmpVQzFUTXhnMgpSeHZmckZFQ1RPNGJkU2gvZ0NKNU8wdjhIYTNEbmNXQW9saFJIdVlSSit1V09iQkwxYkxqUTFLM2hST1h2cjJWCkhvbWRpb09ybnEwQmdQdC9hN09rOVhuSDdZcDU0UjhsYm96bGtvNXlSOFdnZzlqeWZ0aDRoQ2x3U0J3RkJxbmcKeHBBNSs0NllLOUhwU0VNa0FXb1Z5eERrR0E1UXZubTBiSjZQSk0xUi9UQkpFeTA1Uy90ZVlIV3oyeTFNb29INAo4TStoZTR6YjFQLy93NjhWUE9oR1pjTWlGUzBGTWNwVGgzdlFLUTBwQS84S3c2TWErUFdEWWplY3Z2Y0oxd0lECkFRQUJNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUJzditJRzNNWVVNbUdMNUdYTXFhM3NiU0RZdFJxaEhRcXkKMmxWaWQ1OXFEVmVOdG50MXdkYVJrSjQ4S2x1SzBkZUJDanpGaVN2elBZMVlHc09qeEJ4R2Qrd0tYcElMVXQ3YwpsMXFIbGRTNktyOU9oaS9XSUFDV3AxbDN1K1luUXJROHIzNkZqaGZ1ODMyQ1EwVTQ3Z3I0Yjc5NVNBeDRzdVVFClUwZ2F4MnNLMHlUSU9YYUk4VjRQWThrSlZHdXpyR2N1bVBLT1lrSTRvSEhBY0JMMERrWUkyZ0hmZ2F1amZYTFgKYU9yQ0Z4QndPMGh3ekhNam1GNlRYT2dTNVVIYzFsbzhwREpNK1J3SmUxVjA2RGlZRFpUUlErM1lxcEZpSHpSbwozZkFENzBhM3U5c0NWYnM0QjEzU2ZXOUk5R3hNOXhpdEJjL1VNME1ad1BHUytaSVEwRkZzCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+  tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBenpBNGlIai9MaVloZUdSVUtFYWtjU2tjRHpsWE1kMDUwZStBb3VodXFoOHJEandOCmlJdERlOXNOZHlzUk1tMlhFWVFMbXZCcjRZUzdnYTZqVUMxVE14ZzJSeHZmckZFQ1RPNGJkU2gvZ0NKNU8wdjgKSGEzRG5jV0FvbGhSSHVZUkordVdPYkJMMWJMalExSzNoUk9YdnIyVkhvbWRpb09ybnEwQmdQdC9hN09rOVhuSAo3WXA1NFI4bGJvemxrbzV5UjhXZ2c5anlmdGg0aENsd1NCd0ZCcW5neHBBNSs0NllLOUhwU0VNa0FXb1Z5eERrCkdBNVF2bm0wYko2UEpNMVIvVEJKRXkwNVMvdGVZSFd6MnkxTW9vSDQ4TStoZTR6YjFQLy93NjhWUE9oR1pjTWkKRlMwRk1jcFRoM3ZRS1EwcEEvOEt3Nk1hK1BXRFlqZWN2dmNKMXdJREFRQUJBb0lCQUFNK1hBUTI4TGZHUFF2bgpkakhUT1V2VU91NDZGWlZnUTBGNElHbHNmaDhIc2VMZEtkRVRiUkVKVXVLa3QvWTBKUU5QTCtkVEVEMU5tS25sCkZBVnpVRFFpa3ViMkZzQlozRkZjQU80S25rUmhSY2laM2U2UkE5ajZlSk1TRXVNSzh3WE8rR0VhMDNVYkFkZlIKK2JHSnB2eURkMHd0RjF4TngyZ0tpVlY5bW5jVEo3RDJtaUZPVTNXR3pUeFlyMVdnVDd6WHVsQnkyQlR6SlEzNQpwcG9hdXQwYlcvVkZDQ1FIc0NRK2tUNlhXbE9vQ2VTWTd5aEhmSzRtMGFCeUNjN1E0dW5CUUZRU24rck1CZUJpCkJxaE9BU0NFQnhYUzhlRUxhOCtCQml3eGo0SmJQa3IzbFlRcTQxbDlMU3FtQTN4dy9ZKzZzK2NCRmdxSGQ5RUgKVmJidTUrRUNnWUVBN2VUeUdXQmxubk9ySzJBMjkrbENYY1RBRHhGdlRoK0hWMlRJTXV3NW9oMlE0MkhCZWkwcgp3L2dTa1FGU1cvK1JaNmpXU2xsWW51ZDNXVkUwRzA3ZkhLaWpZMnBmbFQ3Z3lXYlhoc0NXQmkwRVpOK0JxUUNrCko5UVNaUGZLRXRjamhkTDdtVnBJdEF3ZjM4SHpiNUx0d3pBYTFhTlFjK2h3YVE3eWo2UFhubDhDZ1lFQTN2VUMKcXhURDJ2Y2VkQWZlUGUxQXd1SDRUZ2pVVFJnbU5rMGRPbTBFazlzUnZOelRZemk0bmxNQ1YzMHZiZTVMRWNleQo3VWRJS3pGMUwrQWRpaFFpckcvMHJIQ3N0U21RTHhLWDdhVW5vcVliWHJWNTlYMFVaMndDcFBqZm1DQTNYYmE5CmJ0ZThCRFFCbmp1QjJ6dXVIa21ZY3BSWllNeEdvMjd0aVV2ZlY0a0NnWUJRdFMyVmdtaTNXeEtsUXAwamVsVnoKcm41aUhrNGV1UCtYbks5MjUwR2VTRjJSWnViVzVtQkV1ZkxDa3lvMzMvcWFxbU1aRWpySW5rcVZXTUZPeW5GVApMYnRRelJQa2RGS2F3WE01V2prTG0xWTBTc2VZYUlsSW9lQWp0UlV2VXlIUUV3WWN2czZQbHRWeGVrRjJodWgzCkllall0ZkZqZ1dZeG5rcVloTU53RFFLQmdGTU11UDI1TW10eCthb0c5RVhsQm1hUmZjaXppVUZlYVgxNHBCYUwKWFZVbUdTbGNxSEVoUThQVjc5MWZDRGZPdDYvYnowNkxhdHFNQmJiYnFLVXljdWdBbkFkUHdVV0tRZWNHNmdqZgpxQy94NStnVGVXWjBQUkY1TGxMOVVXeDlNNko0MjM5YVpQSzczSTV3WkNLaHpHNER4QUdLT1BEUnBzNWlGNkU0CjNlemhBb0dBS1lxZ1o4dUtOVGNpZ3A4ekpqSzB4N1RrZmttTVViMTRUYnFZUzJiWVhFTDlwZDM1aU1iclJ1MEYKTGJqOTFlcHVVbE00eG9td2tHM284Qll6OWpOZVhGVnIwQmhvY0E3UjZVL2VRc1FLQ0Fac3VMTThLdGFCN0pRTwpzTFpJRnROZUpMV0lRMUhXZG40KzI3SDIyeGUzMFBVUlpsSnR6b2NrT3hGaVl3UUZ5bzQ9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
+  ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURTRENDQWpBQ0NRREtXdnJwd2lJeUNEQU5CZ2txaGtpRzl3MEJBUXNGQURCbU1Rc3dDUVlEVlFRR0V3SlYKVXpFTE1Ba0dBMVVFQ0F3Q1EwRXhGakFVQmdOVkJBY01EVk5oYmlCR2NtRnVjMmx6WTI4eERqQU1CZ05WQkFvTQpCVTVIU1U1WU1Rd3dDZ1lEVlFRTERBTkxTVU14RkRBU0JnTlZCQU1NQzJWNFlXMXdiR1V1WTI5dE1CNFhEVEl3Ck1URXhNakl4TWpnME1sb1hEVE13TVRFeE1ESXhNamcwTWxvd1pqRUxNQWtHQTFVRUJoTUNWVk14Q3pBSkJnTlYKQkFnTUFrTkJNUll3RkFZRFZRUUhEQTFUWVc0Z1JuSmhibk5wYzJOdk1RNHdEQVlEVlFRS0RBVk9SMGxPV0RFTQpNQW9HQTFVRUN3d0RTMGxETVJRd0VnWURWUVFEREF0bGVHRnRjR3hsTG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNcmxLTXFySGZNUjRtZ2FMMnpaRzJEWVlmS0NGVm1JTmpsWXVPZUMKRkRUY1JnUUt0dTJZY0N4WllCQUR3SFp4RWY2TklLdFZzTVdMaFNOUy9OYzBCbXRpUU0vSUV4aGxDaURDNlNsOApPTnJJM3c3cUp6TjZJVUVSQjZ0VmxRdDA3cmdNMFYyNlVUWXUwSWt2MVk4dHJmTFlQWmNrekJrb3JRanBjaXVtCnFvUDJCSmY0eXljOUxxcHh0bFdLeGVsa3VuVkw1aWpNRXpwajlnRUUyNlRFSGJzZEViaG9SOGcwT2VIWnFIN2UKbVhDblNJQlIwQS9vL3M2bm9HTlgrRjE5bFk3VGd3NzdqT3VRUTVZc2krN25oTjJsS3ZjQzgxOVJYN29NcGd2dApWNUIzbkkwbUY2QmF6bmplVHM0eVFjcjFTbTNVVFZCd1g5WnV2TDdSYklYa1VtOENBd0VBQVRBTkJna3Foa2lHCjl3MEJBUXNGQUFPQ0FRRUFnbTA0dzZPSVdHajZ0a2E5Y2NjY25ibEYwb1p6ZUVBSXl3anZSNXNEY1BkdkxJZU0KZWVzSnk2ckZINERCbU15Z3BjSXhKR3JTT3pabEYzTE12dzd6SzRzdHFOdG0xSGlwckY4Ynp4ZlRmZlZZbmNnNgpoVktFckh0WjJGWlJqLzJUTUowMWFSRFpTdVZiTDZVSmlva3BVNnh4VDd5eTBkRlprS3JqVVIzNDlnS3hScUp3CkFtMmFzMGJoaTUxRXFLMUdFeDNtNGMwdW4ydk5oNXFQMmh2NmUvUXplNlA5NnZlZk5hU2s5UU1GZnVCMWtTQWsKZkdwa2lMN2JqbWpuaEt3QW1mOGpEV0RabHRCNlM1NlF5MlFqUFI4Sm9PdXNiWXhhcjRjNkVjSXdWSHY2bWRnUAp5WnhXcVFzZ3RTZkZ4K1B3b245SVBLdXEwalFZZ2VaUFN4Uk1MQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
@@ -0,0 +1,12 @@
+apiVersion: k8s.nginx.org/v1
+kind: Policy
+metadata:
+  name: egress-mtls-policy
+spec:
+  egress_MTLS:
+    tlsSecret: egress-tls-secret
+    trustedCertSecret: egress-mtls-secret
+    verifyServer: on
+    verifyDepth: 2
+    serverName: on
+    sslName: secure-app.example.com
@@ -0,0 +1,12 @@
+apiVersion: k8s.nginx.org/v1
+kind: Policy
+metadata:
+  name: egress-mtls-policy
+spec:
+  egressMTLS:
+    tlsSecret: egress-tls-secret
+    trustedCertSecret: egress-mtls-secret
+    verifyServer: on
+    verifyDepth: 2
+    serverName: on
+    sslName: secure-app.example.com
@@ -0,0 +1,18 @@
+apiVersion: k8s.nginx.org/v1
+kind: VirtualServer
+metadata:
+  name: virtual-server
+spec:
+  host: virtual-server.example.com
+  upstreams:
+  - name: secure-app
+    service: secure-app
+    port: 8443
+    tls:
+      enable: true
+  routes:
+  - path: "/backend1"
+    policies:
+    - name: egress-mtls-policy
+    action:
+      pass: secure-app
@@ -0,0 +1,18 @@
+apiVersion: k8s.nginx.org/v1
+kind: VirtualServerRoute
+metadata:
+  name: backends
+spec:
+  host: virtual-server-route.example.com
+  upstreams:
+  - name: secure-app
+    service: secure-app
+    port: 8443
+    tls:
+      enable: true
+  subroutes:
+  - path: "/backends/backend1"
+    policies:
+    - name: egress-mtls-policy
+    action:
+      pass: secure-app
@@ -0,0 +1,9 @@
+apiVersion: k8s.nginx.org/v1
+kind: VirtualServer
+metadata:
+  name: virtual-server-route
+spec:
+  host: virtual-server-route.example.com
+  routes:
+  - path: "/backends"
+    route: backends # implicit namespace
@@ -0,0 +1,8 @@
+kind: Secret
+metadata:
+  name: egress-mtls-secret
+apiVersion: v1
+type: nginx.org/ca
+data:
+  ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURTRENDQWpBQ0NRREtXdnJwd2lJeUNEQU5CZ2txaGtpRzl3MEJBUXNGQURCbU1Rc3dDUVlEVlFRR0V3SlYKVXpFTE1Ba0dBMVVFQ0F3Q1EwRXhGakFVQmdOVkJBY01EVk5oYmlCR2NtRnVjMmx6WTI4eERqQU1CZ05WQkFvTQpCVTVIU1U1WU1Rd3dDZ1lEVlFRTERBTkxTVU14RkRBU0JnTlZCQU1NQzJWNFlXMXdiR1V1WTI5dE1CNFhEVEl3Ck1URXhNakl4TWpnME1sb1hEVE13TVRFeE1ESXhNamcwTWxvd1pqRUxNQWtHQTFVRUJoTUNWVk14Q3pBSkJnTlYKQkFnTUFrTkJNUll3RkFZRFZRUUhEQTFUWVc0Z1JuSmhibk5wYzJOdk1RNHdEQVlEVlFRS0RBVk9SMGxPV0RFTQpNQW9HQTFVRUN3d0RTMGxETVJRd0VnWURWUVFEREF0bGVHRnRjR3hsTG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNcmxLTXFySGZNUjRtZ2FMMnpaRzJEWVlmS0NGVm1JTmpsWXVPZUMKRkRUY1JnUUt0dTJZY0N4WllCQUR3SFp4RWY2TklLdFZzTVdMaFNOUy9OYzBCbXRpUU0vSUV4aGxDaURDNlNsOApPTnJJM3c3cUp6TjZJVUVSQjZ0VmxRdDA3cmdNMFYyNlVUWXUwSWt2MVk4dHJmTFlQWmNrekJrb3JRanBjaXVtCnFvUDJCSmY0eXljOUxxcHh0bFdLeGVsa3VuVkw1aWpNRXpwajlnRUUyNlRFSGJzZEViaG9SOGcwT2VIWnFIN2UKbVhDblNJQlIwQS9vL3M2bm9HTlgrRjE5bFk3VGd3NzdqT3VRUTVZc2krN25oTjJsS3ZjQzgxOVJYN29NcGd2dApWNUIzbkkwbUY2QmF6bmplVHM0eVFjcjFTbTNVVFZCd1g5WnV2TDdSYklYa1VtOENBd0VBQVRBTkJna3Foa2lHCjl3MEJBUXNGQUFPQ0FRRUFnbTA0dzZPSVdHajZ0a2E5Y2NjY25ibEYwb1p6ZUVBSXl3anZSNXNEY1BkdkxJZU0KZWVzSnk2ckZINERCbU15Z3BjSXhKR3JTT3pabEYzTE12dzd6SzRzdHFOdG0xSGlwckY4Ynp4ZlRmZlZZbmNnNgpoVktFckh0WjJGWlJqLzJUTUowMWFSRFpTdVZiTDZVSmlva3BVNnh4VDd5eTBkRlprS3JqVVIzNDlnS3hScUp3CkFtMmFzMGJoaTUxRXFLMUdFeDNtNGMwdW4ydk5oNXFQMmh2NmUvUXplNlA5NnZlZk5hU2s5UU1GZnVCMWtTQWsKZkdwa2lMN2JqbWpuaEt3QW1mOGpEV0RabHRCNlM1NlF5MlFqUFI4Sm9PdXNiWXhhcjRjNkVjSXdWSHY2bWRnUAp5WnhXcVFzZ3RTZkZ4K1B3b245SVBLdXEwalFZZ2VaUFN4Uk1MQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+  ca.crl: LS0tLS1CRUdJTiBYNTA5IENSTC0tLS0tCk1JSURCRENCN1RBTkJna3Foa2lHOXcwQkFRc0ZBRENCcHpFTE1Ba0dBMVVFQmhNQ1ZWTXhFVEFQQmdOVkJBZ00KQ0UxaGNubHNZVzVrTVJJd0VBWURWUVFIREFsQ1lXeDBhVzF2Y21VeEdUQVhCZ05WQkFvTUVGUmxjM1FnUTBFcwpJRXhwYldsMFpXUXhJekFoQmdOVkJBc01HbE5sY25abGNpQlNaWE5sWVhKamFDQkVaWEJoY25SdFpXNTBNUkF3CkRnWURWUVFEREFkVVpYTjBJRU5CTVI4d0hRWUpLb1pJaHZjTkFRa0JGaEIwWlhOMFFHVjRZVzF3YkdVdVkyOXQKRncweU16QXpNVE14T0RBeU1qSmFGdzB5TXpBME1USXhPREF5TWpKYU1CUXdFZ0lCQWhjTk1qTXdNekV6TVRndwpNakV5V2pBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQWdFQVJzQ1B6SVpqUmt1S1BlajRUdTc5a3pFTlcvRTY5NzZjClhrN2g1dEtoTHdONTROVXR0M0pSTHBWUEFwUFhnTzdhdVo5a0liWC9EaStyeks4V3BQZWhUSXg0b1RscktjbFoKT1hsM3RQWUJndmcyRzVxaFR3MlAvTjRDMzVPMWdtWllLWXFYeEd6SjlBVnU5WmNXUlJjelVCOXlaZlR1cERoOAo2SnROd2JCVVpOR2lSMkZFeUovWFNQQjFVeXJBa2IyVk1ON0E1WEZIaSt5WXFrS2xrcFNLaGNPY3lGcXpFMC9xCkQ5V1Y3enJtVDIwdU1Ya2VCVW05WEhqWHRXRTIwb01PRFBHRERBNUg2RlppL05IMXBTa0tUY3g4UjdYNGZlaFYKOUJUTVl5VENWcFVJSUhuZG91NHYxUkl2UHJpRS9PUGx4UDBjRFZCNmV1V0RXb2dJdnIyWTRpenlHdHN0WlpvTgpNZDBRY1hXTVhTUjB3U2hCdEQ1TGI5cjBLOExPS255dVFUVVNHaXZuY2JGajZNUTROU3FNMTRJdzNkOHowemowCjg5b3hBUVhNa29qdm02SWV5WS9hSlVacUlPdk56MXhkaG5kNXNtWkNoQUdTVUx4Z1hsZWFHRjg3Vyt2MThuSlQKOC83c1Vic09RR1ErdVA5dGNXcGYzcmx4MVVENWRnVW9KbHdrUk16Z09vQXYwN3JkcWRsZGQ4QVdWYndMcnlGdgo0RHVMTU5VREQrbE9iV3E0VDdBNE5zb1NadlBuaitOcDgzL3VCWEUvRmZvemJpYzJSOFZJb1NLR2NhWDh0aGZhCmpvUEw1Smt4akZGemZGcnAwMi9XRlNNd3Ezc2xrQkJqSGFkd2pNcTZiQnJ5MTQyYWlOUW44cDRsa3ZXV0RvUSsKaWdrSDNFRGdDVmM9Ci0tLS0tRU5EIFg1MDkgQ1JMLS0tLS0K
@@ -0,0 +1,7 @@
+kind: Secret
+metadata:
+  name: egress-mtls-secret
+apiVersion: v1
+type: nginx.org/ca
+data:
+  ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURTRENDQWpBQ0NRREtXdnJwd2lJeUNEQU5CZ2txaGtpRzl3MEJBUXNGQURCbU1Rc3dDUVlEVlFRR0V3SlYKVXpFTE1Ba0dBMVVFQ0F3Q1EwRXhGakFVQmdOVkJBY01EVk5oYmlCR2NtRnVjMmx6WTI4eERqQU1CZ05WQkFvTQpCVTVIU1U1WU1Rd3dDZ1lEVlFRTERBTkxTVU14RkRBU0JnTlZCQU1NQzJWNFlXMXdiR1V1WTI5dE1CNFhEVEl3Ck1URXhNakl4TWpnME1sb1hEVE13TVRFeE1ESXhNamcwTWxvd1pqRUxNQWtHQTFVRUJoTUNWVk14Q3pBSkJnTlYKQkFnTUFrTkJNUll3RkFZRFZRUUhEQTFUWVc0Z1JuSmhibk5wYzJOdk1RNHdEQVlEVlFRS0RBVk9SMGxPV0RFTQpNQW9HQTFVRUN3d0RTMGxETVJRd0VnWURWUVFEREF0bGVHRnRjR3hsTG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNcmxLTXFySGZNUjRtZ2FMMnpaRzJEWVlmS0NGVm1JTmpsWXVPZUMKRkRUY1JnUUt0dTJZY0N4WllCQUR3SFp4RWY2TklLdFZzTVdMaFNOUy9OYzBCbXRpUU0vSUV4aGxDaURDNlNsOApPTnJJM3c3cUp6TjZJVUVSQjZ0VmxRdDA3cmdNMFYyNlVUWXUwSWt2MVk4dHJmTFlQWmNrekJrb3JRanBjaXVtCnFvUDJCSmY0eXljOUxxcHh0bFdLeGVsa3VuVkw1aWpNRXpwajlnRUUyNlRFSGJzZEViaG9SOGcwT2VIWnFIN2UKbVhDblNJQlIwQS9vL3M2bm9HTlgrRjE5bFk3VGd3NzdqT3VRUTVZc2krN25oTjJsS3ZjQzgxOVJYN29NcGd2dApWNUIzbkkwbUY2QmF6bmplVHM0eVFjcjFTbTNVVFZCd1g5WnV2TDdSYklYa1VtOENBd0VBQVRBTkJna3Foa2lHCjl3MEJBUXNGQUFPQ0FRRUFnbTA0dzZPSVdHajZ0a2E5Y2NjY25ibEYwb1p6ZUVBSXl3anZSNXNEY1BkdkxJZU0KZWVzSnk2ckZINERCbU15Z3BjSXhKR3JTT3pabEYzTE12dzd6SzRzdHFOdG0xSGlwckY4Ynp4ZlRmZlZZbmNnNgpoVktFckh0WjJGWlJqLzJUTUowMWFSRFpTdVZiTDZVSmlva3BVNnh4VDd5eTBkRlprS3JqVVIzNDlnS3hScUp3CkFtMmFzMGJoaTUxRXFLMUdFeDNtNGMwdW4ydk5oNXFQMmh2NmUvUXplNlA5NnZlZk5hU2s5UU1GZnVCMWtTQWsKZkdwa2lMN2JqbWpuaEt3QW1mOGpEV0RabHRCNlM1NlF5MlFqUFI4Sm9PdXNiWXhhcjRjNkVjSXdWSHY2bWRnUAp5WnhXcVFzZ3RTZkZ4K1B3b245SVBLdXEwalFZZ2VaUFN4Uk1MQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K