Hi @Zufar_Dhiyaulhaq, in your blog article you are mounting those certificates via annotation to the sleep pod, which is your client.
In my scenario there is no client pod – the caller is outside of Istio. For example I call through POSTMAN using a Host header with a value like “test-sandbox-service-mesh.mycompany.com”, and my VirtualService (which matches that host) forwards the traffic, but there are no pods involved. It’s like we’re using Istio as a reverse proxy.
Here is my VirtualService. The
system/console route works exactly as desired, using SIMPLE TLS. But for the other route,
important-api/v1, which needs to use MUTUAL TLS, I don’t know where to mount the certs.
number: 11443 # mutual TLS port
number: 443 # simple TLS port