Istio certs ?

[costinm]

What would you like to be added

Few options:

• expose the Istio CA gRPC interface, using the K8S JWT with istio-ca audience.
• add an option to change the mount path for certs to the well-known path where istio-agent is looking for certs

Also it would be nice if the certs included the spiffe identity ( using a trust domain configured at install time),
and maybe an option to restrict the DNS names to NAME.NAMESPACE.SUFFIX - where the suffix is specified at install
time, namespace is the pod namespace - and name may be the only thing customized by the user (can default
the the service account name for example).

Why this is needed

• Good to have options - Istio does have an integration with CertManager and I know autocert has a signer for cert manager, but more direct integration is providing more choices for users.
• current mechanism of arbitrary names is fine for users with OPA or strict access, but a more strict naming would work for
  everyone else.

[Yuri0405]

Hi @hslatman!
I've been working on this issue and submitted PR #361 that addresses some of the requirements mentioned here. I noticed you're assigned to this issue, so I wanted to reach out to notify about what I did. Are you still working on this issue? If so, can you check please my PR and give your feedback?

[hslatman]

Hi @Yuri0405, thank you for opening the PR 🙂 We discuss (new) open source issues and PRs (for assignment/review) on a weekly basis. The next triage is tomorrow.