How Istio redirects traffic and present certificate for authentication

We have two pods say A and B, both in same namespace with istio injected. Now pod A wants to authenticate itself to pod B using x509 certificate. Fom pod A, in the curl command, if we provide the,

  1. https in URL and certificate provided explicitly (not by istio proxy but by the main container within pod A), the webserver running within the main container of pod B receives this certificate, and it works on it.
  2. http in URL and we depend on pod A’s istio-proxy to wrap it using the right certificate, the https traffic origibating now from this proxy is received by istio-proxy running within pod B however webserver of B still receives http traffic (without certificate)

Questions are:-

  1. How can webserver from pod B receives https call as is without istio-proxy converting it to http?
  2. Still want to make sure that traffic is originating as http within pod A’s main container and istio-proxy of pod A is converting it into https
  3. How DestinationRule, PeerAuthentication, Sidecar and ServiceEntry can help in the process ?

The curl command using from pod A :-

curl --location --request POST 'http://keycloak-http/auth/realms/sample/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=Test_certAuth' \
--data-urlencode 'grant_type=client_credentials' -k -v --key /etc/certs/tls.key --cert /etc/certs/tls.crt

Error getting in the pod B main container is :-

2023-08-29 05:32:44,181 TRACE [org.infinispan.container.impl.EntryFactoryImpl] (executor-thread-291) Wrap 156ca09f-5c85-4536-b0d1-07a634fbd965 for read. Entry=Re      peatableReadEntry(2dd00e1c){key=156ca09f-5c85-4536-b0d1-07a634fbd965, value=0, oldValue=0, isCreated=false, isChanged=false, isRemoved=false, isExpired=false, is      Commited=false, skipLookup=false, metadata=EmbeddedMetadata{version=null}, oldMetadata=EmbeddedMetadata{version=null}, internalMetadata=null}
2023-08-29 05:32:44,182 TRACE [org.infinispan.interceptors.impl.CallInterceptor] (executor-thread-291) Invoking: GetKeyValueCommand
2023-08-29 05:32:44,182 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (executor-thread-291) client by id cache hit: Test_certAuth
2023-08-29 05:32:44,182 DEBUG [] (executor-thread-291) [X509ClientCertificateAuthenticator:authenticate] **x509 client certificate is not avai      lable for mutual SSL.**
2023-08-29 05:32:44,182 DEBUG [org.keycloak.authentication.ClientAuthenticationFlow] (executor-thread-291) client authenticator ATTEMPTED: client-x509
2023-08-29 05:32:44,182 ERROR [] (executor-thread-291) KC-SERVICES0017: Unknown result status
2023-08-29 05:32:44,182 DEBUG [] (executor-thread-291) KC-SERVICES0014: Failed client authentication: org.keycloak.authentication.Authentica      tionFlowException
        at org.keycloak.authentication.ClientAuthenticationFlow.processResult(

Expected output :- Keycloak should receive the certificate.