Support Ingress controllers with mTLS on them

[KnicKnic]

Please describe the Improvement and/or Feature Request Blindly allow traffic to flow into the ingress controller, however add mTLS to the http sessions from the controller to the servers that the ingress forwards to.

public -> (allow *) (nginx) -> (OSM mTLS) webservers

I want to inject OSM into the ingress controller, and annotate it with please pass through data to ingress controller, however do mTLS on outgoing sessions.

Scope (please mark with X where applicable)

• New Functionality [x ]

Possible use cases In my usecase

1. I have already authenticated traffic being proxied into the ingress controller (and is being secured with my own mTLS ).
   1. I need OSM to ignore this "inbound" traffic (ingress controller will decap the mTLS session)
2. I then need outbound traffic from the ingress controller to use OSM mTLS sessions.

Problems

1. I don't know how to communicate to envoy blindly ignore traffic on inbound port, yet pass it through to application that has been injected with sidecar
2. I do not know how ingress rules will play with traffic policies.
   1. If I setup a TrafficTarget to allow ingress controller to talk to my backend webservers, and an ingress rule to proxy traffic from ingress controller to backend webservers, what happens to mTLS?

[shashankram]

This is done, and the changes have been backported to release-v0.9 to be available in the v0.9.1 release.

Relevant documentation:

1. Inbound port exclusion: https://release-v0-9.docs.openservicemesh.io/docs/tasks/traffic_management/iptables_redirection/#inbound-port-exclusions
2. Ignore an ingress resource: https://release-v0-9.docs.openservicemesh.io/docs/tasks/traffic_management/ingress/#ignoring-an-ingress-resource