Default SSL on Ingress Gateway

I’m coming from using the nginx IngressController where I use the default SSL certificate
https://kubernetes.github.io/ingress-nginx/user-guide/tls/

The way that works is that if the Ingress doesn’t provide a separate certificate, then the default will be used. I have a wildcard certificate that accommodates most of the workloads and I provide a separate certificate with an Ingress resource when the wildcard won’t work.

Is there some equivalent for the Istio Ingress Gateway?

@Oliver @JimmyChen Do you know if Istio gateway support using multiple certificates?

I did make a little progress yesterday using this link

With this I succeeded in creating a secret in the istio-system namespace with a wildcard certificate that will work for many of my workloads. I then have to add the following section to each Gateway definition

tls:
  mode: SIMPLE
  privateKey: /etc/istio/ingressgateway-certs/tls.key
  serverCertificate: /etc/istio/ingressgateway-certs/tls.crt

Still unresolved
On this page

I see an example of referencing a TLS secret, which is very similar to how the Ingress does it. It looks like this in the Gateway

tls:
  mode: SIMPLE
  credentialName: bookinfo-secret # fetches certs from Kubernetes secret

I would expect the secret to be defined in the same namespace as the Gateway resource, but it didn’t work when I tried it. I then tried adding a secret to the istio-system namespace, but that didn’t work either.

Is this a currently working feature? If so, how can I use it? I just found and will look at this link next:

I still can’t get the credentialName approach to work. Is there specific documentation about this. For example, does the Secret need to be in a certain namespace?

How can I troubleshoot this credentialName approach in the Ingress Gateway?