Istio + SDS + cert-manager (Let's Encrypt)


so I have a cluster with Istio/SDS + cert-manager via Let’s Encrypt up and running. I didn’t figure out how to deploy the certs automatically though. Via the kubernetes ingress I could have something like this:

apiVersion: extensions/v1beta1
kind: Ingress
  name: http-svc
  namespace: web-svc
  annotations: selfsigning-issuer  # just for testing "cookie" "route" "sha1"
- hosts:
  - http-svc.poc.lan
  secretName: cert-http-svc.poc.lan
- host: http-svc.poc.lan
    - path: /
        # This assumes http-svc exists and routes to healthy endpoints
        serviceName: http-svc
        servicePort: 80

and the cert would automatically be deployed/managed via cert-manager. How can I achieve this with Istio?

For SDS + cert-manager + Istio 1.x >
For HTTP01 here is great post, however not working well in 1.1, hoping it would be better in 1.2:

For FTP01 here is great post by @prune it seems working good for many:

Sadly Istio docs are not very clear on this. This post talks about Cert-manager, however give example of traditional Ingress at the end.

For HTTP01 check this topic as well: Using Gateway + VirtualService + http01 + SDS

Thanks for your reply.
As I said, the whole shabang (including mTLS) is working properly. The only missing part is automatic deployment of certs. I’ve spend days looking for a solution but there is nada. So, at this point I assume Istio doesn’t support this. Which is sad, as this was the only thing holding us back switching to Istio
@AlexD also figured this out in the thread you mentioned.