Istio + Kubernetes: Gateway more than one TLS Certificate
As provided on istio documentation it's possible.
In this section you will configure an ingress gateway for multiple hosts, httpbin.example.com and bookinfo.com.
So You need to create private keys, in this example, for bookinfo and httbin, and update istio-ingressgateway.
I created them both and they exist.
bookinfo certs and gateway
kubectl exec -it -n istio-system $(kubectl -n istio-system get pods -l istio=ingressgateway -o jsonpath='{.items[0].metadata.name}') -- ls -al /etc/istio/ingressgateway-bookinfo-certslrwxrwxrwx 1 root root 14 Jan 3 10:12 tls.crt -> ..data/tls.crtlrwxrwxrwx 1 root root 14 Jan 3 10:12 tls.key -> ..data/tls.keyapiVersion: networking.istio.io/v1alpha3kind: Gatewaymetadata: name: bookinfo-gatewayspec: selector: istio: ingressgateway # use istio default ingress gateway servers: - port: number: 443 name: https-bookinfo protocol: HTTPS tls: mode: SIMPLE serverCertificate: /etc/istio/ingressgateway-bookinfo-certs/tls.crt privateKey: /etc/istio/ingressgateway-bookinfo-certs/tls.key hosts: - "bookinfo.com"
httpbin certs and gateway
kubectl exec -it -n istio-system $(kubectl -n istio-system get pods -l istio=ingressgateway -o jsonpath='{.items[0].metadata.name}') -- ls -al /etc/istio/ingressgateway-certslrwxrwxrwx 1 root root 14 Jan 3 10:07 tls.crt -> ..data/tls.crtlrwxrwxrwx 1 root root 14 Jan 3 10:07 tls.key -> ..data/tls.keyapiVersion: networking.istio.io/v1alpha3kind: Gatewaymetadata: name: httpbin-gatewayspec: selector: istio: ingressgateway # use istio default ingress gateway servers: - port: number: 443 name: https protocol: HTTPS tls: mode: SIMPLE serverCertificate: /etc/istio/ingressgateway-certs/tls.crt privateKey: /etc/istio/ingressgateway-certs/tls.key hosts: - "httpbin.example.com"
Haven't made a full reproduction to check if they both works but if that won't work for You i will try to make it and update the question.
This link might be helpful.