Description:
Hi, we have a use case of securing one of the APIs with mutual TLS while keeping other APIs with TLS only. currently, mutual TLS is applied on gateway objects where it will protect the listener level.

by making client certificate validation optional, we can add make 1 domain support both mutual TLS and TLS and we can filter APIs that require mTLS with https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-client-cert later.

[optional Relevant Links:]
most API gateways support this mechanism, for example, Kong or Tyk.

1. https://docs.konghq.com/hub/kong-inc/mtls-auth/
2. https://tyk.io/docs/basic-config-and-security/security/mutual-tls/client-mtls/

this use case is also highlighted in the upstream GEP for this feature https://gateway-api.sigs.k8s.io/geps/gep-91/#deferred
also makes sense to add this knob into CTP https://gateway.envoyproxy.io/v1.0.1/api/extension_types/#clientvalidationcontext

xfcc is being tracked with #2599

I am working on this

closed via #3199