Pass TLS through Ingress and terminate it on the workload's proxy

There is an article on how to pass TLS through Ingress and terminate it on the workload -
Instead, I’d like to terminate it on the workload’s proxy (Envoy), and have the proxy doing the regular Istio’s authentication and authorization.
What config do I need to apply in order to achieve that? (of the gateway, virtual service, etc)

My use case is:
I have a set of services I’m migrating to Istio, they already use mTLS to communicate with each other.
The services will be migrated gradually, so these cases are possible:

  1. the client is outside of mesh, while the server is inside
  2. visa versa

I plan to plug in existing TLS root and intermediate certificates as per so the leaf services’ certificates in both systems will have a common root cert, so the services in the both systems should be able to trust each other.