Ingress gateway + TLS usability questions


I’m considering Istio ingress gateways to replace K8s’ native ingress resources but I find challenges in an environment where end users can not expose their own ingress gateway with a service of type load balancer (onprem with F5 load balancers not implementing the service type lb). Allow me to elaborate.

The current environment uses shared nginx ingress controllers and these are externally exposed using an admin managed F5’ vserver custom resource definition. Users can create ingress resources with TLS certificates stored in secrets in their user namespace with no access to the ingress controller namespace.

Going with Istio ingress gateways, I don’t see how to achieve the same functionality because

  • They have no access to the shared ingress gateway namespace to create secrets (istio-system)
  • With their own ingress gateway in their namespace , they have no ability to expose it externally

I was wondering if anyone else had the same problem with possible alternative

thanks !

So working with quite a few production of users of Istio, I’ve found usually there is some way to import the certs into the istio-system namespace. for example, i’ve seen folks write a controller that reads secrets in other namespaces (with annotations, for example) and them automatically imports them to the istio-system namespace. of course you can write other validation logic, etc there also. this may or may not help you, ymmv