Best way to turn off mTLS for NodePort

(This is for Istio 1.6.2)
So, we have a Postgres pod running in our development cluster, and if we set istio-injection=enabled for the namespace, trying to use nodeport to get in fails with an SSL error (for instance, with pgcli, it will fail to connect and give this error: received invalid response to SSL negotiation)

I can disable Envoy being added to the pod with annotation of ‘false’, but that also means no tls to the database is happening even inside the cluster, and that’s not quite what I want, even if that means the NodePort will work.

What would be easiest way to turn off mTLS for the NodePort only?

I think this is not supported. The other workaround is to use PERMISSIVE mode in the PeerAuthN on the port, but this means a cluster request in plaintext is also allowed.

Also note Istio 1.6 is no longer supported: Istio / Support for Istio 1.6 has ended