Shashank Ram

> Yes this is for pod to external traffic, to meet security requirements around mTLS mTLS is supported with Egress, though the TLS origination for external traffic must happen within...

> (emphasis mine) > > > mTLS is supported with Egress, though the **TLS origination for external traffic must happen within the application code**. > > I think we can...

> Why do we need to provision user certificates? If the user provisions OSM with an intermediate CA, wouldn't sibling CAs (i.e. certs derived from the same root as the...

> > Yes this is for pod to external traffic, to meet security requirements around mTLS > > mTLS is supported with Egress, though the TLS origination for external traffic...

@shalier As a part of #2018, I am going to add support to plumb the policy in UpstreamTrafficSetting at the inbound route and virtual_host level. Since retries and rate limiting...

@shalier I wanted to also note that before proceeding with an implementation, it would make sense to verify if merging the Retries policy with the UpstreamTrafficSetting API is feasible. I...

Can the spec be extended/clarified to support both: 1. a (virtual) service as the root service. K8s applications are going to use the service FQDN for the most part. 2....

We will still be using a SharedIndexInformer within the controller though right, or are you proposing to not use informers anymore?

> correct, i think just the CLI, and I believe @keithmattix has a use case for certificates where there is a concern of a potential race condition due to cache...

This needs to be thoroughly reviewed and assessed before it makes it into the repo. Adding the do-not-merge label till I get the chance to review this and the motivation...