I have been using Istio on production since more than 1.5 years now. So far so good.
Our architecture is to let user facing application come in through ingress gateway to an app lets call it main app, and then any second tier service(lets call it secondary app1 and secondary app2) gets called from this main app. Since main app is user facing i cannot mandate mtls . Also we are doing TLS offloading of main app on AWS ELB so the ingress gateway is configured to be accept http (not https )
So i would like to have all secondary applications mandate mtls and any traffic coming from ingress gateway talk to secondary app via mtls too.
I looked at auto mTLS and it looks promising. When i configured auto and made the Policy for secondary app namespace STRICT it is working as expected as far as mutual of the mtls is concerned. Meaning when i try to access from non istio container it fails but when i access from istio container it works. It also works from ingress gateway.
My question now is all examples in auto mTLS use http to show that it works. When i explicitly use https it fails. Is this because internally it uses https and i dont have to worry about it ?
How do i test if it is using TLS ? what if i am missing some config and it is not encrypting
By the way i am using istio 1.4.7