ISTIO_mTLS difference with Ingress Gateway vs Sidecar

[haithamshahin333]

Hello,

I've enabled a federated mesh using Spire, I'm seeing cluster1 in trust domain foo.com can do ISTIO_MTLS with an ingress gateway win cluster2 in trust domain bar.com. However, when I configure the gateway to PASSTHROUGH such that ISTIO_MTLS should happen between the two services in each cluster, I see a OpenSSL error.

Is there a difference in how the gateway does ISTIO_MTLS vs a sidecar? If you refer to the image below, what I'm suggesting is that the only real way to get this working is to place a gateway between the two services and have ISTIO_MTLS occur at the gateway.