Why not use cert-manager to manage ca cert for istio-sidecar-injector

Hi, I noticed that Istio used istio-citadel to create and CA secret for istio-sidecar-injector. And I also found that Istio support cert-manager for tls security. I wonder that why not use cert-manager to handle the ca secret sidecar-injector need as cert-manager can also support self-signing Issuers and refreshing. Just out of curiosity, thanks.:smiley:



are the experts.

Istio supports Citadel provisioning the certificate for the sidecar injector. Istio also supports Chiron (a new alpha feature of Istio 1.4 that calls k8s CA API to sign DNS certificates) provisioning the certificate for the sidecar injector. In terms of provisioning a certificate for the sidecar injecotr, Cert-manager and Citadel are functionally equivalent. Compared with Cert-manager and Citadel, Chiron makes it easier to distribute the root of trust.