Citadel is responsible for certificate and key management in Istio. It integrates with various platforms and aligns with their identity mechanisms. For example, in Kubernetes, it uses service accounts; on AWS, it uses AWS IAM; and on GCP/GKE, it can use GCP IAM. The Istio PKI is based on Citadel. It uses X.509 certificates in SPIFEE format as a vehicle for service identity.

Here is the workflow in Kubernetes:

• Citadel creates certificates and key pairs for existing service accounts.
• Citadel watches the Kubernetes API server for new service accounts to provision with a certificate a key pair.
• Citadel stores the certificates and keys as Kubernetes secrets.
• Kubernetes mounts the secrets into each new pod that is associated with the service ...