Adding custom CA certificates to istiod not working anymore?

Hi there,

We have configured istio + oauth2-proxy + keycloak, but we are using a custom selfsigned CA certificate.
The problem is with the istiod container when it tries to verify the certs from our keycloak:

2023-04-13T09:42:16.602921Z	error	model	Failed to refresh JWT public key from "https://keycloak.customdomain/realms/test/protocol/openid-connect/certs": Get "https://keycloak.customdomain/realms/test/protocol/openid-connect/certs": tls: failed to verify certificate: x509: certificate signed by unknown authority

We achieved this in previous Istio version 1.10.0 mounting the cert as a secret inside of the istiod in /cacerts path. Now in version 1.17.x does not work.

What do we have to do ?

I will not mount, instead I would place the selfsigned cert under
istio-system namespace. By sealing it via Sealedsecret.