Envoy MTLS remote cluster

Hello,

I have two clusters A and B which are configured with root certificates from the same root CA. Given some environmental requirements I can not create a shared control plane or E/W gateway so I am attempting to set up envoy manually. I am attempting to run Mongodb with sidecars in both clusters to configure cluster replication, however when attempting to connect from mongoA → mongoB mongoB says the connection started with SSL and the server isn’t configured for it. This tells me the Envoy proxy is not decrypting the traffic before forwarding onto the pod.

Cluster A has a service entry and destination rule configured for TLS and MESH_INTERNAL of cluster B’s service. The Destination rule is configured for ISTIO_MUTUAL mode and to add the appropriate SNI header. Cluster B has a virtual service configured to accept traffic. All traffic flows as i would expect it to MongoA --443–> MongoB Service --27017–> MongobB Envoy → MongoB. Is there a way to configure envoy to decrypt the incoming traffic?