(SPIKE) Identify multiple ingress design that meets the desired outcome

Evaluate the discussion in platform-one/big-bang&73 as well as the following derived requirements to design a concept for how multiple ingress gateways would be setup to meet the following requirements. This includes both changes to Istio and recommended changes to the infrastructure to support the settings.

• Ability to independently control endpoint access to customer facing applications (e.g. Gitlab) and administrator only applications (e.g. Grafana, Kibana) through Layer 3/4 segmentation. For example, customer facing applications may be available from the internet while admin applications are available via an IP whitelist, VPN, or internal network.
• Ability to simultaneously allow TLS passthrough and TLS terminated applications in the same cluster (e.g. Keycloak). Currently, this is done by having a subdomain for administration applications and non-overlapping certificates. This solution should expand this to being able to create two public IP addresses for each set of apps, while staying in the same domain and using a single wildcard cert.
• Isolation of package Virtual Services to avoid a single package misconfiguration taking down an entire Gateway. This requires a 1:1 ratio of Virtual Services to Istio's Gateway resource. But, Gateways can all still use a many-to-one architecture to the Ingress Gateway resource.
• Ability for developers and CI to deploy using a single IP to all applications. This solution should work with any CNCF conformant k8s
• A simple quickstart for BigBang that doesn't require multiple load balancer setup. This is likely accomplished by the developer / CI requirement for a single IP above.
• Multiple ingress gateways shall be configurable such that it can be turned on or off. If off, Big Bang would deploy like it does today.
• (Nice to Have) Multiple ingress gateways should be scalable to include more or less ingress gateways to meet the consumer's demands
• Istio Gateway resources control TLS mode (termination/passthrough) and certificates. Each gateway shall be able to be independently configured for these items
• Istio Gateway resources should have configuration that allows the consumer to map it to an Ingress Gateway
• Packages shall be responsible for creating their own Gateways and Virtual Services with the appropriate host names and ports
• Each Gateway/VirtualService combination can disabled via a flag in Big Bang.