When configuring the Upstream Mutual TLS policy the CA certificate types provide one of two options, path or embedded. It's unclear how to configure 3scale to support the path option.

The path option in the Upstream Mutual TLS policy requires that the certificate and key be present at the specified file locations. In the context of 3scale installed on OCP, this requires that a secret containing the certificate be mounted at the specified location.

The following article should be documented officially: https://access.redhat.com/solutions/7064329

The reason this should be documented officially is that this should be considered a supported configuration. When dealing with the 3scale operator, care must be taken that any changes to the deployment configs are not reconciled away in a later version of 3scale. Currently the APImanager operator does not observe or modify volume mounts on the apicast-production or apicast-staging pods, but the standalone APIcast operator does. 

The use case of the path based option as opposed to the embedded option is when there are a large amount of products that share the same certificate, it becomes burdensome to manage all products and ensure certificates are appropriately renewed. It is more convenient to have a single mounted location.