Central Ingress Gateway routing to multi-tenant apps in different namespaces

We use multi-tenant clusters with each tenant running in their own namespace. Everything is locked down with policies, RBAC ect. Currently we deploy an Ingress Gateway in each tenant namespace for them and they then control routing to their pods/services using Virtual Services. There is an app gateway running outside of the clusters which routes traffic to the appropriate tenant ingress using path based routing.

This works fine however it is wasteful having so many ingress gateways. Is there a way that we can create a central Ingress Gateway which routes to the appropriate tenant namespace using path based routing? We would still need the tenants to do additional path based routing within their namespace.

Central Ingress gateway /app1/* => some service in app1 namespace
/app1/microservice1 => microservice1 pod/svc in app1 namespace
/app1/microservice2 => microservice2 pod/svc in app1 namespace

We would need to ensure that app2 couldn’t route traffic intended for app1 to their namespace.

Any advice would be brilliant!