In the istio-csr section you reference the official docs bootstrap example:
https://github.com/cert-manager/istio-csr/blob/master/hack/demo/cert-manager-bootstrap-resources.yaml
but this is creating a new ca and new issuer, this seems to go against your diagram where its the intermediate ca being referenced is from the vault.
So did you more or less follow that bootstrap or did you tell istio-csr to use the intermediate ca's you created during pki section? if you did the latter what did that look like because I'm having trouble connecting the dots here, the main reason i could see to do a new Certificate with isCA: true referencing the issuer created during cert manager section is that ca (istio-ca) is made as a secret which can be used by istio-csr. So Im a little lost at this part because that bootstrap resources example seems to be made for a vault-less scenario.
Btw, it goes without saying this is an amazing guide though.
In the istio-csr section you reference the official docs bootstrap example:
https://github.com/cert-manager/istio-csr/blob/master/hack/demo/cert-manager-bootstrap-resources.yaml
but this is creating a new ca and new issuer, this seems to go against your diagram where its the intermediate ca being referenced is from the vault.
So did you more or less follow that bootstrap or did you tell istio-csr to use the intermediate ca's you created during pki section? if you did the latter what did that look like because I'm having trouble connecting the dots here, the main reason i could see to do a new Certificate with isCA: true referencing the issuer created during cert manager section is that ca (istio-ca) is made as a secret which can be used by istio-csr. So Im a little lost at this part because that bootstrap resources example seems to be made for a vault-less scenario.
Btw, it goes without saying this is an amazing guide though.