FYI the gcp classic release 5 days ago appears to have added a crucial missing resource (gkehub.FeatureMembership) for setting up fully managed Anthos Service Mesh. After some serious confusion I found that managed control plane was disabled. now it appears you use the following for full setup:

// enable anthos service mesh
    const gkehubApi = new gcp.projects.Service('gkehubApi', {
        service: '<http://gkehub.googleapis.com|gkehub.googleapis.com>',
        disableOnDestroy: false,
    })

    const meshConfigApi = new gcp.projects.Service('meshConfigApi', {
        service: '<http://meshconfig.googleapis.com|meshconfig.googleapis.com>',
        disableOnDestroy: false,
    })

    const meshCaApi = new gcp.projects.Service('meshCaApi', {
        service: '<http://meshca.googleapis.com|meshca.googleapis.com>',
        disableOnDestroy: false,
    })

    const feature = new gcp.gkehub.Feature(
        'anthosServiceMesh',
        {
            name: 'servicemesh',
            location: 'global',
        },
        { dependsOn: [gkehubApi, meshConfigApi, meshCaApi] }
    )

    const membership = new gcp.gkehub.Membership(
        'anthosServiceMeshMembership',
        {
            membershipId: 'cluster-mesh-membership',
            endpoint: {
                gkeCluster: {
                    resourceLink: pulumi.interpolate`//container.googleapis.com/${cluster.id}`,
                },
            },
        },
        { dependsOn: [feature] }
    )

    const featureMembership = new gcp.gkehub.FeatureMembership('anthosServiceMeshFeatureMembership', {
        feature: feature.name,
        membership: membership.name,
        location: 'global',
        mesh: {
            management: 'MANAGEMENT_AUTOMATIC',
        },
    })
    const istioNS = new k8s.core.v1.Namespace(
        'istioNS',
        {
            metadata: {
                name: 'istio-system',
            },
        },
        { provider: clusterProvider, dependsOn: [clusterProvider] }
    )

    const cpr = new k8s.apiextensions.CustomResource(
        'meshControlPlaneRevision',
        {
            apiVersion: '<http://mesh.cloud.google.com/v1beta1|mesh.cloud.google.com/v1beta1>',
            kind: 'ControlPlaneRevision',
            metadata: {
                name: 'asm-managed',
                namespace: istioNS.metadata.name,
                annotations: {
                    '<http://mesh.cloud.google.com/vpcsc|mesh.cloud.google.com/vpcsc>': 'false',
                },
                labels: {
                    '<http://mesh.cloud.google.com/managed-cni-enabled|mesh.cloud.google.com/managed-cni-enabled>': 'true',
                },
            },
            spec: {
                type: 'managed_service',
                channel: 'regular',
            },
        },
        { provider: clusterProvider, dependsOn: [clusterProvider] }
    )

also, this has been imperfect but helpful for setting up an istio gateway to work with a gke Ingress + Managed Cert. GCLB communicates with backends in a secure context, and they don't validate certificates between GCLB frontend and the backend in your cluster, presumably because they already mitigate the possibility of MITM attacks in this context, so you provide your istio gateway with a self-signed cert according to google's docs (no link right now, sorry edit: some links: https://cloud.google.com/architecture/exposing-service-mesh-apps-through-gke-ingress/deployment#install_the_self-signed_ingress_gateway_certificate , https://cloud.google.com/load-balancing/docs/ssl-certificates/encryption-to-the-backends#secure_backend_protocol_considerations)