I am not referring the case of Istio Gateway for Ingress Traffic, but for the envoy side car certificate. From this link https://istio.io/docs/concepts/security/#kubernetes-scenario, it seems that cert-manager should be able to handle all the listed items. My question is 1) Whether it is possible to replace citadel with cert-manager? 2) Is it a good practice to do?
The reasons why we are looking other such as certmanager are:
- We already have hashicorp vault PKI provider in our K8S, while cert-manager integrates with it well.
- We’d like to store CA/key into vault for security reason
- Cert-manager can support many CA issuers, we might have to customize the sidecars in different ns (or environment) use different CAs.