Citadel CA root key

Hi,

When using Istio on Kubernetes, keys and certificates for each service account are stored as Kubernetes secrets.

However, how is the Citadel CA root key stored? Or is there no such root key, and service account certificates are not signed by any root?

Thank you,
Peter

Citadel CA’s key is self-signed and stored in k8s secret so far. In the long term, we plan to move it to HSM for better protection.

Thank you for your quick reply, Tao.

I don’t understand how Istio can move keys to an HSM. A HSM is a special hardware (or nowadays sometimes virtualized) device, and in many cases it will not be available. So, if anything, I suppose Istio is planning to add support for HSM, but not planning to move keys to an HSM. Is my understanding correct?

Also, is it documented somewhere that the Citadel CA key is stored as a k8s secret? If not, would you mind pointing me to the relevant piece of code?

Thank you so much.

The detail of HSM is yet to be figured out.

This is the ca’s key https://github.com/istio/istio/blob/8d82dbe6377f2ab8ea24a12b9ef0c0a1f7cd2f13/security/pkg/pki/ca/ca.go#L46