Other options than citadel for envoy sidecar certificate management for kubernetes case, such as cert-manager?



I am not referring the case of Istio Gateway for Ingress Traffic, but for the envoy side car certificate. From this link https://istio.io/docs/concepts/security/#kubernetes-scenario, it seems that cert-manager should be able to handle all the listed items. My question is 1) Whether it is possible to replace citadel with cert-manager? 2) Is it a good practice to do?

The reasons why we are looking other such as certmanager are:

  1. We already have hashicorp vault PKI provider in our K8S, while cert-manager integrates with it well.
  2. We’d like to store CA/key into vault for security reason
  3. Cert-manager can support many CA issuers, we might have to customize the sidecars in different ns (or environment) use different CAs.




Sorry for the late reply.

  1. It’s possible to replace Citadel with cert-manager.
  2. I don’t think it’s a good practice though, compared with the SDS approach we start to support. Because of the 3 reasons listed here: https://istio.io/docs/tasks/security/auth-sds/

Your #3 reason sounds interesting, currently our Citadel agent doesn’t support distinguishing workload namespaces and talk to different CAs for cert requests. But we could support it.



Thanks Oliver,

With regarding your comment, is there any roadmap to support multiple CAs?



There’s no road map for that yet. We may justify the priority based on user feedback, likely after 1.2. We welcome anyone from community to contribute to Istio. Taking this approach may make it happen sooner.