Use of Vault CA

We have integrated our Vault CA with Istio following the article here: https://istio.io/docs/tasks/security/vault-ca/

All is well and good for workloads on the mesh, however supporting services like Prometheus aren’t issued with certs from Vault and are instead still using the internal Istio CA (see: https://github.com/istio/istio/blob/9bb9df2cbcc3e8e54196273ce32cf9038c4ee491/install/kubernetes/helm/istio/charts/prometheus/templates/deployment.yaml#L64-L70)

Is there a way to ensure that the certificates issued to secrets also come from the same CA?

That would require Prometheus to use a sidecar, but we don’t have that yet. Prometheus is using the file mount.
So one way to resolve this is to add sidecars to Prometheus and use SDS in it. Adding @douglas-reid for the Prometheus sidecar question.
The other way is using Vault with the file mount approach, you can integrate Vault using the Citadel. Then Citadel is delegated to provision the certificates for all the workloads in the cluster. @leitang is the expert for Vault integration.

Thanks for the reply @Oliver! I think in the short term integrating Vault with Citadel would be the fastest route to getting most things working alongside the data plane, I think. I can’t find any information on how to do this though. Do you have any suggestions? I’d be happy to write up something for the docs once we’ve managed to get it working.

Is this what you were mentioning @Oliver?