Istio + SDS + cert-manager (Let's Encrypt)

Hi,

so I have a cluster with Istio/SDS + cert-manager via Let’s Encrypt up and running. I didn’t figure out how to deploy the certs automatically though. Via the kubernetes ingress I could have something like this:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: http-svc
  namespace: web-svc
  annotations:
    certmanager.k8s.io/cluster-issuer: selfsigning-issuer  # just for testing
    nginx.ingress.kubernetes.io/affinity: "cookie"
    nginx.ingress.kubernetes.io/session-cookie-name: "route"
    nginx.ingress.kubernetes.io/session-cookie-hash: "sha1"
spec:
 tls:
- hosts:
  - http-svc.poc.lan
  secretName: cert-http-svc.poc.lan
 rules:
- host: http-svc.poc.lan
  http:
    paths:
    - path: /
      backend:
        # This assumes http-svc exists and routes to healthy endpoints
        serviceName: http-svc
        servicePort: 80

and the cert would automatically be deployed/managed via cert-manager. How can I achieve this with Istio?
Thanks

For SDS + cert-manager + Istio 1.x >
For HTTP01 here is great post, however not working well in 1.1, hoping it would be better in 1.2: Istio + cert-manager + Let’s Encrypt demystified | by gregoireW | Medium

For FTP01 here is great post by @prune it seems working good for many:

Sadly Istio docs are not very clear on this. This post talks about Cert-manager Istio / cert-manager, however give example of traditional Ingress at the end.

For HTTP01 check this topic as well: Using Gateway + VirtualService + http01 + SDS

Thanks for your reply.
As I said, the whole shabang (including mTLS) is working properly. The only missing part is automatic deployment of certs. I’ve spend days looking for a solution but there is nada. So, at this point I assume Istio doesn’t support this. Which is sad, as this was the only thing holding us back switching to Istio
@AlexD also figured this out in the thread you mentioned.