I have a requirement to establish mTLS connection between 3 nginx servers all will be using certs signed by different CA, so I need to create 3 secrets on my side, will istio allow to use multiple certs inside the same gateway configuration file.
I don’t think so. You will have to use SDS or add another paths for your ingress gateway deployment.
Does this satisfy your requirement - https://istio.io/docs/tasks/traffic-management/ingress/secure-ingress-mount/#configure-a-tls-ingress-gateway-for-multiple-hosts ?
You have to patch the ingress gateway if using file mounted secrets. The procedure is easier for SDS but it (SDS) is still an alpha grade feature, … so be warned.
I didn’t know SDS was still in alpha (if that means the same thing as alpha grade feature). Where does it say that?
I’m looking here and couldn’t find anything that says that besides the ones in the apiVersion values, but I see those in the file mount doc, too:
Thanks @vin_b. So There is no way for me to add multiple trusted stores in a single ingress gateway credential.
basically my concern is if my istio ingress certs is signed by a different CA and my source nginx is singed by a different CA, will I be not able to establish mTLS?