When we migrated from Ingress to Gateway API, developers lost the ability to manage their own TLS certificates. I spent an afternoon getting ListenerSets to work with Envoy Gateway and cert-manager. Here’s every wrong turn I made so you don’t have to.