The problem we faced is you have to give the complete chain in while creating the secret. We use SIMPLE for the TLS settings but hopefully this would work for ISTIO_MUTUAL as well.
assuming your cert name is mycert.pfx
here is the commands to get the complete chain
openssl pkcs12 -in mycert.pfx -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > mycert.certs.pem
here is the key command. open the pem and remove the BAG attributes.
openssl pkcs12 -in mycert.pfx -nocerts -nodes -out mycert_key.pem
so your secret command would look like this
kubectl create -n istio-system secret generic gkegatewaysecret \
--from-file=key=./mycert_key.pem \
--from-file=cert=./mycert_cert.pem
your gateway yaml would look something like this
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: ingress-gateway
spec:
selector:
istio: ingressgateway # use Istio default gateway implementation
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: ISTIO_MUTUAL
credentialName: "gkegatewaysecret"
hosts:
- "*"
Hope that works.