How does Istio mTLS behave when two workloads communicating with each other are already using mTLS?
Let’s say that we borught into the mesh couple of services that share the same root certs, have genearated private keys, and self signed certs - basically old school mTLS backbone. Beside of that, in mesh reside few other services that serves plaintext. We decided to wrap all of them into one service mesh to enforce encypted traffic (STRICT PeerAuthentication). It seems like all of the services can talk to each other and everything works well.
The question is how does Istio proxy handle inside mesh traffic, which is already encrypted?
Does it say - allright, this one is encrypted, I’ll let you through.
Or - I dont care wheather you’re encrypted or not I must direct you through my mTLS https tunnel (I don’t even know if this double encryption is possible)