Summary: the Cluster Ingress Operator (CIO) in OpenShift 4.19 manages the default Istio instance (OSSM v3.x) in the openshift-ingress namespace.  This istio instance managed by the CIO has CNI disabled by default:
spec: values: pilot: cni: enabled: false
Because CNI is disabled, the sidecar injection fails for the Rate Limiting service. When Kuadrant enables mTLS

Related issue https://github.com/Kuadrant/kuadrant-operator/issues/1701

Update Kuadrant documentation to note that if mTLS (mutual TLS) is required, the Cluster Operator Ingress (CIO) managed Istio is not a viable option because it lacks the necessary mesh capabilities. Kuadrant's mTLS feature relies on these capabilities. Therefore, you must create a custom Istio CR (Custom Resource) with the CNI (Container Network Interface) requirement enabled. The Gateway API can also be enabled on this custom Istio CR. Crucially, when defining your Gateways, please ensure they avoid using the openshift.io/gateway-controller/v1 controller name. This prevents the Cluster Ingress Operator from attempting to manage resources for your custom Istio control plane.

Dev notes: Consider exploring Istio Ambient Mesh. In theory, Ambient Mesh can achieve mTLS between pods without relying on the sidecar injection mechanism that is currently failing in this specific OCP configuration. Check [-https://www.redhat.com/en/blog/introducing-openshift-service-mesh-32-istios-ambient-mode-]