Using GKE with integrated istio, is it possible to use a google managed certificate for the ingress gateway?
When the cluster is created, the ingress is already present. I don't see how to inject other than by managing a secret and linking to the Istio gateway.
Is this a good way or do you know something simpler?
thanks!
Managing certs via optional secret (named: istio-ingressgateway-ca-certs) is a recommended way by Istio, as described here. The Istio gateway will load the secret automatically.
You can also do a re-deployment of default istio-ingressgateway with new certificates, aided with helm tool (guide link here)
Official GCP documentation suggests also in that terms, to create a new ingress resources (see Adding gateways paragraph), to avoid any customizations done to default Istio-GKE being wiped out during auto upgrades.
So the other option for you, is to create a custom-ingress-gateway with Google Managed certs, and link it later in Virtual Services, as explained in this blog post. To ease creation of manifest file for custom ingress-gateway you can also use helm template command* from guide link above - "Redeploy istio-ingressgateway with the new certificates".
*Don't forget about changing its name in metadata in resulting file.