Sending mTLS requests to external services

Say that I control and would like to authenticate requests to example.com, making sure they’re coming from service x. I’m using Istio in my Kubernetes cluster. I can’t trust K8s to schedule pods with static IPs, so IP-level firewalling isn’t useful.

Istio provides an identity framework, though! What if I wanted to take Istio’s certificate and trust it on example.com? Then I’d have a way to be sure service x is the one talking to example.com.

How would I ensure Istio signs/encrypts outbound requests to example.com with the cert for service x? I note there is a TLS origination example for tls.mode=SIMPLE - is it as simple as changing this to tls.mode=MUTUAL?