Best way to turn off mTLS for NodePort

(This is for Istio 1.6.2)
So, we have a Postgres pod running in our development cluster, and if we set istio-injection=enabled for the namespace, trying to use nodeport to get in fails with an SSL error (for instance, with pgcli, it will fail to connect and give this error: received invalid response to SSL negotiation)

I can disable Envoy being added to the pod with annotation of
sidecar.istio.io/inject: ‘false’, but that also means no tls to the database is happening even inside the cluster, and that’s not quite what I want, even if that means the NodePort will work.

What would be easiest way to turn off mTLS for the NodePort only?

I think this is not supported. The other workaround is to use PERMISSIVE mode in the PeerAuthN on the port, but this means a cluster request in plaintext is also allowed.

Also note Istio 1.6 is no longer supported: Istio / Support for Istio 1.6 has ended