Getting custom mutating webhook to work with mtls

Brief

Currently I have a service which receives webhook notifications on k8s operations via k8s mutating webhooks. However, when mtls is switched on, the service cannot receive requests. I understand that “istio-service” cannot receive requests from “non-istio-service” where kube-api cannot connect to my service. Is there a way to turn mtls off for receiving requests on specific ports? Or any workarounds? Thank you!

Here’s is my repo for reference
https://github.com/isaiahwong/gateway-go
Kindly ignore the README.me

My config for mutating webhook
The cert is a self-signed cert.

apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
  name: gateway-webhook
  namespace: default
webhooks:
  - name: gateway-service.default.svc
    clientConfig:
      service:
        name: gateway-service
        namespace: default
        path: '/webhook'
      caBundle: <YOUR_CA_BUNDLE>
    rules:
      - operations: ['*']
        apiGroups: ['*']
        apiVersions: ['*']
        resources: ['services']

Pod listening via TLS

// Start webhook server
if err := ws.Server.ListenAndServeTLS(config.WebhookCertDir, config.WebhookKeyDir); err != nil && err != http.ErrServerClosed {
	logger.Fatalf("Webhook server: %s\n", err)
}

Workaround

Found a work around. Used self-signed certs as per normal when configuring the admission webhooks.
Configure istio’s Policy mtls mode PERMISSIVE targeting the port that is listening for webhooks. i.e. 443. Configure a MeshPolicy to enable STRICT mtls for other services.

Example

MeshPolicy for your namespace

apiVersion: "authentication.istio.io/v1alpha1"
kind: "MeshPolicy"
metadata:
  name: "default"
spec:
  peers:
  - mtls: {}

Ignore the port that is listening for webhooks

apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
  name: "ignore"
spec:
  peers:
  - mtls: 
      mode: PERMISSIVE
  targets:
  - name: gateway-service
    ports:
    - number: 443

Mutating Webhook

apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
  name: gateway-webhook
  namespace: default
webhooks:
  - name: gateway-service.default.svc
    clientConfig:
      service:
        name: gateway-service
        namespace: default
        path: '/webhook'
      caBundle: <YOUR_CA_BUNDLE>
    rules:
      - operations: ['*']
        apiGroups: ['*']
        apiVersions: ['*']
        resources: ['services']