Is it possible to reach workloads outside the mesh (i.e. without sidecar) from a gateway that is in a mesh?
We have istio gateways working without mesh enabled, as soon as we enable the mesh, gateways are only able to communicate with workloads within a mesh too.
It doesn’t work anymore for workloads without a side car, after enabling the mesh I’ve listed the scenarios with diagrams below:
So Scenario 1, gateways without mesh enabled works
Scenario 2, gateway with istio mesh enabled, and workload with proxy side-car, works
Scenario 3 (does not work): Gateway with an istio mesh enabled, is unable to communicate with workloads that don’t have a sidecar. Is it possible to tell the gateway to not use mTLS for these sidecars? We have disabling mTLS using PeerAuthentication and DesitnationRules, ( as described in the mtls migration guide) but those seem to configure on the destination/workload level, where we don’t have a sidecar/mtls anyway.
