Interview › Istio & Service Mesh
How do you handle secrets and certificates for the ingress gateway (TLS termination)?
Istio & Service Mesh · Advanced level
Answer
For ingress gateway TLS termination, I store certificates as Kubernetes TLS secrets or use a certificate manager integration, reference them from the Gateway using credentialName, and restrict secret access to the gateway namespace and platform automation.
Technical explanation
cert-manager is commonly used to automate issuance and renewal from an internal CA or ACME provider.
Gateway TLS mode SIMPLE terminates TLS at the gateway; PASSTHROUGH keeps TLS to the backend and uses SNI routing.
Secret governance matters: only approved automation should create or rotate gateway certificates.
Hands-on example
TLS secret example:
$ kubectl -n istio-ingress create secret tls app-tls --cert=tls.crt --key=tls.key
Gateway snippet:
tls:
mode: SIMPLE
credentialName: app-tls
hosts:
- app.example.com
Validate:
$ openssl s_client -connect app.example.com:443 -servername app.example.com
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Istio & Service Mesh interview questions
- What is Istio, and what are the core capabilities it provides?
- What is the difference between the Istio control plane and data plane?
- What is istiod, and what does it do?
- What is Envoy, and what role does it play in Istio?
- What is the sidecar pattern, and how does Istio inject the proxy?
- How does automatic sidecar injection work (namespace label, webhook)?
- What is the Istio ambient (sidecarless) mode, and how does it differ from sidecar mode?
- What is the difference between ztunnel and a waypoint proxy in ambient mode?