Https only backend service


I’m looking for some guidance on how to configure sidecar to talk to the backend service that only understands https. By design, all traffic between the sidecar and the service is plaintext, which results in upstream connect error or disconnect/reset before headers. reset reason: connection failure , since the service expects TLS handshake.

From the sidecar I can execute:

istio-proxy@playground-vdev2-cm-all-1-5dbcff567c-wtpsc:/$ curl -v -s -o /dev/null -k https://localhost:8443
*   Trying
* Connected to localhost ( port 8443 (#0)
< HTTP/1.1 200 OK
< Server: nginx/1.20.2
< Date: Sat, 15 Jan 2022 21:23:09 GMT
< Content-Type: text/html
< Content-Length: 612
< Last-Modified: Tue, 16 Nov 2021 14:44:02 GMT
< Connection: keep-alive
< ETag: "6193c3b2-264"
< Accept-Ranges: bytes

I reckon the envoy can be forced to use TLS by using EnvoyFilter but I have no idea how it should look like.

Any help appreciated.

When you say. backend-service is that another k8s service in the mesh, something external to the mesh or the application container in the kubernetes pod?
From your curl I suspect its the latter. If that is the case I believe you should be configuring your app container to be plaintext(HTTP) . Thats pretty much the idea in istio , the proxy takes care of tls initiation and termination so you have TLS between pod boundaries and plaintext between proxy and application within the pod (which is an in memory xfer)