Tls passthrough

I have referred to the following discussion feat(router) allow TLS passthrough in stream router by fffonion · Pull Request #6757 · Kong/kong · GitHub
It seems that support for tls passthrough has been added in Kong gateway, but I am not able to get it to work in kong-ingress-controller

Kong helm chart version : kong-2.13.1
App version: 3.0

here is my manifest

kind: Service
apiVersion: v1
  name: example-service
  annotations: "true"
    - protocol: TCP
      port: 443
  type: ExternalName
kind: TCPIngress
  name: tls-passthru
  annotations: kong
  - host:
    port: 9443
      serviceName: example-service
      servicePort: 443

I am making https request
curl -v --header 'Host:' https://$KONG-IP:9443/
the kong seems to be trying to terminate tls before forwarding the stream to the service. What am I missing in the config

The protocols field/annotation is used for this with both the controller and admin API. You should set it to tls_passthrough: Admin API - v3.0.x | Kong Docs

That said, your configuration should already be doing TLS passthrough, as a plain TCP route doesn’t attempt to parse the TLS portion of the connection. You will see Kong terminate the TCP connection, but the TLS and application data will be passed upstream as-is on the new upstream connection.

The tls_passthrough protocol lets you do this while also routing the request based on the snis field, letting you multiplex different TLS routes on the same port. If you’re using a dedicated port (as a TCPIngress will by default), you don’t need that additional routing information: all traffic on port 9443 will forward to example-service.