Installing Istio in EKS private subnets

Hello,

Trying to install Istio into EKS using worker nodes that are in private subnets.

I’m setting the ingress gateway service annotation to:

service.beta.kubernetes.io/aws-load-balancer-internal: "true"

Has anyone been able to successfully install Istio into private subnets on EKS?

A common error I’m seeing is:

[2019-07-19 18:21:49.910][69][critical][main] [external/envoy/source/server/server.cc:90] error initializing configuration '/etc/istio/proxy/envoy.yaml': Invalid path: /etc/certs/cert-chain.pem
Invalid path: /etc/certs/cert-chain.pem

Do I need to set the option for “enable certmanager” to true? Has anyone been able to get this working?