TLS Handling from Envoy

I want to ask which is the exact flow between container and envoy proxy sidecar for tls connections.

What I have seen so far:

With tls origination:

  • Container sends to envoy sidecar plain http
  • Envoy sidecar starts an https connection with the target. If we use SIMPLE mode envoy proxy sidecar does not perform targe certificate validation

What about an https connection? What I would like to achieve is the following:

  • Container sends to envoy sidecar https through ISTIO_MUTUAL and trusts sidecar’s certificate
  • Envoy sidecar starts an https connection with the target. If we use SIMPLE mode envoy proxy sidecar does not perform targe certificate validation

Im not able to achieve this with any configuration. Is it possible?

What are you trying to achieve? are you worried about http traffic from your app container to envoy? If so the recommended approach is to use unix domain sockets to communicate with the envoy sidecar.

Hi Nick, thanks for the reply.
To be honest Im trying to achieve an https communication between the pod and the target without certificate validation. it seems strange to me that you can do Istio tls origination without certificate validation for http requests from the pod while you cannot do the same for https requests.
i.e
pod ->(http to target URL) reaches envoy sidecar -> (mTLS) to egress Gateway ->(SIMPLE, no validation) to target
while
pod->(https to target) requires certificate validation