Istio provides us with the option of using a node agent in Kubernetes for certificate and key rotation.

If you are using a demo install profile, the node agent won't be installed by default. To install a node agent, you need to choose values-istio-sds-auth.yaml for the helm install. Once installed, you should see the node agent running on every node. For example, in our single VM, you will see only one node agent:

$ kubectl -n istio-system get pods -l app=nodeagent
NAME                   READY  STATUS   RESTARTS  AGE
istio-nodeagent-smfz7  1/1    Running  0         3m35s

The node agent, when deployed, will provision certificates and keys:

The workflow for rotating certificates and keys is as follows:

1. The Envoy proxy sends a key and certificate request through the Secret Discovery Service (SDS) API.
2. Then, the node's agent creates the private key and Certificate Signing Request (CSR) when it receives the SDS request.
3. Citadel receives the CSR through gRPC, validates it, signs the CSR, generates the certificate, and sends it to the node agent.
4. The node agent sends the key and certificate key to the proxy via the SDS API.
5. This process repeats at a certain interval for every service for certificate and key rotation.

Istio recommends that we run Citadel in the istio-system namespace and only protect access for administrators.