Client mode determines if the translated istio resources (i.e. the service entries and workload entries) use sni routing or tls termination at the east west gateway during cross cluster routing. This option can be configured at either the WorkspaceSetting level, or on the VirtualDestination. Any virtual destination setting overrides a global fallback defined by an admin on the WorkspaceSettings.
The default mode is to use sni routing via tls passthrough at the East/West Gateway to route to services across clusters. In the future, this may change to become smarter (e.g., detect if any pods backing the virtual destination don't have sidecars, if so, then use tls termination so all pods are routeable). For information about the value format, see the Google protocol buffer documentation.
Sni routing mode uses tls passthrough to route traffic to the proper pod (with sidecar) from the East/West Gateway. For information about the value format, see the Google protocol buffer documentation.
Tls termination mode uses tls termination at the East/West Gateway to route traffic to the correct pod. This mode is ideal for Gloo Mesh Gateway, i.e. some backing pods don't have sidecars. Since TLS is terminated at the East/West Gateway, the backing service (if it has a sidecar) will not be able to verify the istio mTLS identity of the originating client; rather it will verify the istio mTLS cert of the East/West Gateway. For information about the value format, see the Google protocol buffer documentation.