* If istio-agent does not find either the socket, or the certificate files in their respective paths it will start its own SDS Server using a `caClient` to connect to istiod or an external CA, to fetch cryptographic materials (See Default CA Flow).

![SDS decision flow](docs/sds-flow.svg)

digraph { envoy -> sds [dir=both, label="SDS"] envoy -> xdsproxy [dir=both, label="ADS"] sds -> ca [label="CSR"] xdsproxy -> discovery [dir=both,label="ADS"] envoy [shape=hexagon, color=purple] subgraph cluster_istioagent { label = "Istio Agent" color="orange" sds xdsproxy } subgraph cluster_istiod { label = "Istiod" color="lightblue" ca discovery } }...

{{ $gateway := index .Values "gateways" "istio-egressgateway" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: {{ $gateway.name }}-sds
  namespace: {{ .Release.Namespace }}
  labels:
    release: {{ .Release.Name }}
    istio.io/rev: {{ .Values.revision | default "default" | quote }}
    install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
    operator.istio.io/component: "EgressGateways"

    {{- if eq .Values.global.pilotCertProvider "istiod" }}
    - mountPath: /var/run/secrets/istio
      name: istiod-ca-cert
    {{- end }}
    - mountPath: /var/lib/istio/data
      name: istio-data
    # SDS channel between istioagent and Envoy
    - mountPath: /etc/istio/proxy
      name: istio-envoy
    - mountPath: /var/run/secrets/tokens
      name: istio-token
    {{- if .Values.global.mountMtlsCerts }}

{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: {{ $gateway.name }}-sds
  namespace: {{ .Release.Namespace }}
  labels:
    release: {{ .Release.Name }}
    istio.io/rev: {{ .Values.revision | default "default" | quote }}
    install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
    operator.istio.io/component: "IngressGateways"

digraph { grpc -> ca [label="Send CSR gRPC Request"] subgraph cluster_istioagent { label = "Istio Agent" color="orange" sds SecretManager -> caClient [label="Sign CSR"] caClient -> grpc grpc -> TokenProvider [dir=none,label="Fetch JWT",color=purple] grpc -> cfiles [dir=none,label="Fetch Cert",color=purple] sds -> SecretManager [label="Generate certificate"] SecretManager -> cfiles [label="Write certs to file"] cfiles [label="Certificate Files"] grpc [shape=diamond] } subgraph cluster_istiod {...

    {{- if eq .Values.global.pilotCertProvider "istiod" }}
    - mountPath: /var/run/secrets/istio
      name: istiod-ca-cert
    {{- end }}
    - mountPath: /var/lib/istio/data
      name: istio-data
    # SDS channel between istioagent and Envoy
    - mountPath: /etc/istio/proxy
      name: istio-envoy
    - mountPath: /var/run/secrets/tokens
      name: istio-token
    {{- if .Values.global.mountMtlsCerts }}

{{ $gateway := index .Values "gateways" "istio-egressgateway" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ $gateway.name }}-sds
  namespace: {{ .Release.Namespace }}
  labels:
    release: {{ .Release.Name }}
    istio.io/rev: {{ .Values.revision | default "default" | quote }}
    install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
    operator.istio.io/component: "EgressGateways"
rules:

{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ $gateway.name }}-sds
  namespace: {{ .Release.Namespace }}
  labels:
    release: {{ .Release.Name }}
    istio.io/rev: {{ .Values.revision | default "default" | quote }}
    install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
    operator.istio.io/component: "IngressGateways"
rules:

10.244.0.195:9080                                HEALTHY                  outbound|9080||reviews.default.svc.cluster.local
./var/run/secrets/workload-spiffe-uds/socket     HEALTHY                  sds-grpc
10.244.0.188:11800                               HEALTHY                  outbound|11800||skywalking-oap.skywalking.svc.cluster.local