Vault as pki for istio intermediate certs

Hi all,

I am excited to see pki support for Vault, where one can import or create a root certificate and generate new intermediate certificates from it (even with CA=TRUE as X509 basic constraint).

The question I have is about the API to query pki itself. The example showcases hint to make a put request to an “issue” REST endpoint, which will issue and actual new intermediate certificate and return a root cert + intermediate cert + intermediate private key triplet.

The problem I have is that this happens for every pod restart. Pod with vault-init-agent sidecar using this “issue” API will result in new certs… which is not what I want. Restart of a pod is not a valid reason to regenerate new intermediate certificates.

I am looking for a solution where the issuing of new intermediate certs is done “out-of-band” (currently perfectly doable with the “issue” endpoint) and where my pods in istio/k8s are able to fetch the latest root cert + intermediate cert + intermediate key triplet. The latter is not possible today, as seperate calls to different endpoints are needed and one needs to take certificate serial and timestamp into account… parsing logic which is not possible in the vault-init-agent templating language.

Summary: my request is to also provide a GET endpoint that returns the latest root cert + intermediate cert + intermediate private key.

Github feature request submitted: