istio operator: pass ingress mTLS certs via files

Question

I am trying to pass mTLS certs to istio ingress gateway via files and not via secrets. Vault init-container will store certs at

/etc/istio/ingressgateway-certs/tls.key
/etc/istio/ingressgateway-certs/tls.cert
/etc/istio/ingressgateway-ca-certs/ca-chain.cert.pem

So I m trying to remove secret element via patch like this

      - path: spec.template.spec.volumes[name:ingressgateway-ca-certs].emptyDir
        value: {}
      - path: spec.template.spec.volumes[name:ingressgateway-certs].emptyDir
        value: {}
      - path: spec.template.spec.volumes[name:ingressgateway-certs].secret
      - path: spec.template.spec.volumes[name:ingressgateway-certs].secret.secretName
      - path: spec.template.spec.volumes[name:ingressgateway-ca-certs].secret.secretName
      - path: spec.template.spec.volumes[name:ingressgateway-ca-certs].secret

but it is not working. Doc says, "For delete, value should be unset."

https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#K8sObjectOverlay-PathValue

istioctl manifest generate command still includes secret section. I also tried setting the value to "unset" but (as exptected) ended up using unset as literal value for secret name. Any pointers are appreciated.

Answer 1

Used this to delete it since vault sidecar will mount it.

- path: spec.template.spec.volumes[name:ingressgateway-ca-certs]         
- path: spec.template.spec.volumes[name:ingressgateway-certs]

but in final solution, configured and rendered certificates at a different path to avoid conflicts with default paths. E.g.

/etc/istio/ingressgateway/certs/tls.key
/etc/istio/ingressgateway/certs/tls.cert
/etc/istio/ingressgateway/ca-certs/ca-chain.cert.pem