I've got a Kubernetes cluster (kops-based) running in AWS. Traffic comes in through an Elastic Load Balancer provisioned by Istio ingress gateway resources. I'd really like to be able to allow customers to setup custom dns for their portals within my app, but I'm not sure what a best practice approach would be for ssl/https.

The basic flow is clear: get the customer to enter their domain, issue a certificate, verify the domain, route traffic through. Unfortunately I'm having trouble with ssl termination.

My naïve approach was to simply provision new ACM certificates and attach them to my ELB, but there's a limit of 25 certs per ELB, meaning it won't ever work at scale. I could provision a new ELB for each customer, but that would get expensive very quick. Provisioning one ELB per 25 customers would be a juggling act I'm not excited about.

I read this writeup of how Etsy setup their system, and they create proxy servers that run Apache and route back to app servers. I've also read of similar setups using NginX. It seems like that may be the best road to go down, but I'd love to hear about other options - preferably some use of managed AWS services.

What would be the best way to move forwards? I'm stuck using istio for normal Kubernetes ingress and AWS as my cloud provider, but I'm open to almost any route that's cheap and scalable.

Edit: Since I created this question I've found this related question: https://stackoverflow.com/questions/46699297/multi-tenant-application-on-aws-multiple-ssl-certificate-installation-strategi?rq=1 . The answers in there are great, but I'm much more cost-averse than they are.

Edit2: It looks like AWS api-gateway --> Lambda --> internal API request is another possibility that I'm not sure is mentioned elsewhere. In that case as long as under ~3M requests are made per month it's cheaper from what I'm seeing.