Istio operator: pass ingress mTLS certs via files instead of secrets

I am trying to pass mTLS certs to istio ingress gateway via files and not via secrets. Vault init-container will store certs at


So I m trying to remove ‘secret’ element via patch like this

      - path: spec.template.spec.volumes[name:ingressgateway-ca-certs].emptyDir
        value: {}
      - path: spec.template.spec.volumes[name:ingressgateway-certs].emptyDir
        value: {}
      - path: spec.template.spec.volumes[name:ingressgateway-certs].secret
      - path: spec.template.spec.volumes[name:ingressgateway-certs].secret.secretName
      - path: spec.template.spec.volumes[name:ingressgateway-ca-certs].secret.secretName
      - path: spec.template.spec.volumes[name:ingressgateway-ca-certs].secret

but it is not working. Doc says, “For delete, value should be unset.”

istioctl manifest generate command still includes secret section. I also tried setting the value to “unset” but (as exptected) ended up using unset as literal value for secret name. Any pointers are appreciated.

Used this to delete it since vault sidecar will mount it.

- path: spec.template.spec.volumes[name:ingressgateway-ca-certs]         
- path: spec.template.spec.volumes[name:ingressgateway-certs]
1 Like

In the end it was easier to change the certificate path to something else instead of trying to use default path.

     - path: spec.servers[0].tls
         caCertificates: /etc/istio/ingressgateway-ca/certs/ca-chain.cert.pem
         mode: MUTUAL
         privateKey: /etc/istio/ingressgateway/certs/tls.key
         serverCertificate: /etc/istio/ingressgateway/certs/tls.crt