Providing additional root certificates in caCertificates in meshConfig doesn't work

We plugged in main CA certificates as described in Istio / Plug in CA Certificates. This works as expected.
But we also need to have additional root certificates to connect to external clusters. We expect caCertificates property from MeshConfig does exactly this as described in Istio / Global Mesh Options.
Istio is installed using Helm Chart. Values for the Istiod Helm Chart are:

meshConfig:
    caCertificates:
    - pem: |-
        -----BEGIN CERTIFICATE-----
        %cert_data%
        -----END CERTIFICATE-----

This doesn’t have any effect, workload can’t communicate to the external one. Istiod logs contain a message about mesh configuration update with the additional cert. But no mentions that it was added to the trusted CA. Neither trusted chain, nor root certificate from workload’s Envoy config dump doesn’t contain the additional certificate.

When I provide the same additional certificate in root-cert.pem in the cacerts secret, a workload is able to communicate to the external one. But then we hit an issue that is described in Invalid Cert Chain when using Plug in CA Certificates · Issue #39001 · istio/istio · GitHub.

1 Like

Thanks for raising this, I was hit by the same issue, and your issue Workload doesn't trust additional root certificates provided in caCertificates under meshConfig · Issue #39935 · istio/istio · GitHub helped to clarify what I was missing :+1: (Though I must say this is poorly documented…)