Client Traffic Policy - support of the several CA certificates for mTLS authentification?

[mdekhtiarenko]

Description:
I have configured ClientTrafficPolicy with optional mTLS to allow two dev and prod cluster certificates.
When each one of these is configured alone everything works as expected. But when both are defined at the same time certificate verification only works for one of them.

Is it intended behavior? In docs I see:

A single reference to a Kubernetes ConfigMap or a Kubernetes Secret,
with the CA certificate in a key named ca.crt is currently supported.

So I assume yes - that's a bit weird because the contract that allows the list is misleading.

Is there any workaround for my case?

Here is an example of my Client Traffic Policy:

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: ClientTrafficPolicy
metadata:
  name: eg-default-clienttraffic
  namespace: envoy-gateway
spec:
  enableProxyProtocol: true
  headers:
    xForwardedClientCert:
      certDetailsToAdd:
        - Subject
      mode: SanitizeSet
  healthCheck:
    path: /ready
  targetRef:
    group: gateway.networking.k8s.io
    kind: Gateway
    name: eg-default
  tls:
    clientValidation:
      caCertificateRefs:
        - group: ""
          kind: Secret
          name: dev-ca
          namespace: envoy-gateway
        - group: ""
          kind: Secret
          name: prod-ca
          namespace: envoy-gateway
      optional: true

[arkodg]

the list was supported to support the rotation case
we do append the CAs together in the gateway-api layer

gateway/internal/gatewayapi/clienttrafficpolicy.go

Line 817 in dd1c66f

for _, caCertRef := range tlsParams.ClientValidation.CACertificateRefs {

if this isnt working, its a bug