Istio mTLs not working after apigee-edge intergration for version 1.0.4

[Vignesh-Shanmugam]

I had two service deployed to the Istio service mesh(version 1.0.4) . Service A configured to Ingress gateway for the user to call from outside the mesh, Service B which cal be called by only services inside the mesh through mTLS.

But after Apigee-Istio integration the call from Service A to Service B throws 403/Forbidden error.

Service A and B are part of the same Mesh cluster and same namespace too.

Service A is exposed on ingress and apigee adapter is configured on it. The call to Service A from outside the mesh is working with providing proper Auth Token from Apigee website.

But Service B is not configured with ingress , only Service A calls Service B which is in the same namespace. This was working fine earlier before apigee adapter was configured but after the configuration the call from Service A to B throws 403 error.

The call is simple from outside I call Service A which in turns calls Service B through a rest template but providing the url and NO-AUTH (i.e http:// called-service:8091/callme/ping) .

The call reached the istio-proxy of the called-service.

I am confused why 403 is thrown, apigee is at the mixer and for the ingress, not sure why the service to service interaction is getting interrupted .

The log from the called-service removing Apigee-adapter intergation:

[2018-12-18T14:58:37.565Z] "GET /callme/pingHTTP/1.1" 200 - 0 29 14 11 "-" "Java/1.8.0_181" "11aa0885-67ae-9ccf-a460-4addb66faf61" "called-service:8091" "127.0.0.1:8091" inbound|8091||called-service.default.svc.cluster.local - 10.36.1.17:8091 10.36.2.10:42788

The logs from the called-service Istio-proxy after Apigee-Adapter integration:

[2018-12-17T20:50:43.284Z] "GET /callme/pingHTTP/1.1" 403 - 0 75 6 - "-" "Java/1.8.0_181" "4a8353bb-e448-9145-9d86-15e1dd9e5c0f" "called-service:8091" "-" - - 10.40.2.24:8091 10.40.1.47:54292