When the Apicast's CR "openSSLPeerVerificationEnabled" field is activated, the apicast verifies upstream ssl connection certificate. If the upstream is using some self-signed certificate or the certificate issuer is not included in the apicast's default trusted CA certificate store, the connection to upstream will fail, returning 502 Bad Gateway to the downstream client:

< Server: openresty
< Date: Fri, 19 Nov 2021 14:21:22 GMT
< Content-Type: text/html
< Content-Length: 154
< Connection: keep-alive
< 
<html>
<head><title>502 Bad Gateway</title></head>
<body>
<center><h1>502 Bad Gateway</h1></center>
<hr><center>openresty</center>
</body>
</html>

The env var in apicast that controls this feature is OPENSSL_VERIFY.

The operator should provide a way to add custom trusted certificate store in a secret referenced in the APIcast CR.

Furthermore, when the custom trusted certificate store is provided, APIcast should know about it using "lua_ssl_trusted_certificate" openresty directive. As OPENSSL_VERIFY says:

It is recommended to use https://github.com/openresty/lua-nginx-module#lua_ssl_trusted_certificate and point to to certificate bundle generated by export-builtin-trusted-certs.

The operator should add this directive to the apicast global configuration. Maybe via custom environments ??? it needs to be explored