I have a Lumen PHP app that provides an API and it does its own SSL termination. How would I configure the Gateway, and VirtualService to allow SSL but terminate at the application? Second question is what are the downsides of doing this vs. terminating at the Istio Ingress Gateway?
you need to use the SSL passthrough option in the Gateway resource and then use the sni directive in the Virtualservice as explained here: https://istio.io/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/
Hope it helps,