I don’t understand how Istio can move keys to an HSM. A HSM is a special hardware (or nowadays sometimes virtualized) device, and in many cases it will not be available. So, if anything, I suppose Istio is planning to add support for HSM, but not planning to move keys to an HSM. Is my understanding correct?
Also, is it documented somewhere that the Citadel CA key is stored as a k8s secret? If not, would you mind pointing me to the relevant piece of code?