Plugging in external CA key and certs test fails on OCP4.1 AWS. The failed task is:
https://istio.io/docs/tasks/security/plugin-ca-cert/

After user edit the citadel deployment and compare certs, test result shows certs are not the same. It looks like new certs are not mounted on the proxy or not propagated to the pod after citadel redeployment.

In TP10, this test case works fine.

Build: istio maistra-0.11.0
Environment: OCP4.1 AWS
Test script:
https://github.com/yxun/moitt/blob/master/test/maistra/tc_21_plugging_external_ca_test.go

Results:
— FAIL: Test21 (125.10s)
tc_21_plugging_external_ca_test.go:156: @@ -3,53 +3,56 @@
Version: 3 (0x2)
Serial Number:

• 8b:b0:09:7f:1c:e7:53:68:38:c0:16:dd:34:79:43:88
  + e2:11:0e:13:9c:c6:cc:7a
  Signature Algorithm: sha256WithRSAEncryption
• Issuer: O = cluster.local
  + Issuer: C = US, ST = California, L = Sunnyvale, O = Istio, OU = Test, CN = Root CA, emailAddress = testrootca@istio.io
  Validity
• Not Before: May 28 15:32:17 2019 GMT
• Not After : May 27 15:32:17 2020 GMT
• Subject: O = cluster.local
  + Not Before: Jan 24 19:15:51 2018 GMT
  + Not After : Dec 31 19:15:51 2117 GMT
  + Subject: C = US, ST = California, L = Sunnyvale, O = Istio, OU = Test, CN = Root CA, emailAddress = testrootca@istio.io
  Subject Public Key Info:
  Public Key Algorithm: rsaEncryption
  Public-Key: (2048 bit)
  Modulus:
• 00:cf:c1:20:f8:e0:c5:cf:c9:fe:4d:1e:99:5f:0a:
• 36:95:68:57:25:f6:41:d5:36:39:98:c5:47:cd:a7:
• ea:04:f1:e5:4f:22:09:7b:9e:62:af:ec:76:3a:da:
• 7c:bd:5d:3e:17:dc:ec:50:b0:1b:e5:32:03:d4:46:
• 18:ae:f4:46:07:6b:96:09:cf:8a:f1:f9:34:9a:6b:
• 9c:ca:21:e9:84:08:20:a0:1c:99:2b:95:12:a4:db:
• fd:a0:7b:d0:8a:1e:01:c6:c7:85:78:8c:e8:32:f3:
• af:94:01:bc:1c:39:ca:1a:57:7f:19:70:0a:65:d3:
• 4e:97:9d:d4:fa:e1:b9:c2:18:40:92:03:75:d0:25:
• 26:0a:b2:be:37:74:2c:a9:ee:73:93:a9:f7:c6:1a:
• 03:92:ba:8d:df:8a:a4:c7:39:f1:3d:25:75:04:b1:
• 39:18:43:54:53:74:16:cc:ca:c0:b4:cb:9c:94:29:
• 0a:c3:79:5f:09:ba:eb:ea:a9:1f:a5:ff:7d:22:58:
• d0:ab:13:00:09:27:98:62:91:f0:3c:3b:f7:3b:b5:
• a9:4d:1c:1b:a6:03:e7:e0:09:bc:ce:11:92:24:be:
• c9:7f:e0:87:2e:27:f2:7c:bc:fe:64:0f:0f:44:ef:
• 69:aa:65:e2:57:ee:6d:3d:3d:e1:23:43:e0:a2:3b:
• 61:01
  + 00:df:cb:84:7c:06:ad:cd:06:2a:6d:a2:e8:bb:59:
  + f1:27:7e:3c:57:23:73:ba:66:0c:98:30:ed:e6:96:
  + cb:61:1a:c2:a3:6a:52:de:48:b5:65:50:cd:f3:2c:
  + 48:10:d2:45:92:92:b0:f5:47:2d:4c:67:5b:34:6b:
  + 86:0a:24:83:3f:bb:aa:17:a0:62:56:7f:97:28:05:
  + 3f:de:99:cf:14:16:d3:77:44:b7:dc:da:9b:0c:44:
  + 2e:21:8a:da:1d:29:7f:b5:29:39:ac:04:5b:0b:50:
  + eb:41:17:59:ea:76:03:d8:aa:da:a4:2e:20:d1:76:
  + e3:63:a3:ee:e6:5e:32:ec:a9:c5:c1:2b:a7:9e:9f:
  + 6e:aa:96:70:b8:44:6f:fc:18:2e:98:9e:50:95:27:
  + 92:78:29:a1:9c:38:4b:c6:8a:06:f3:0e:6d:0b:6c:
  + 95:af:5c:83:a6:c3:87:1a:29:8f:fe:67:3c:09:db:
  + 38:57:4c:df:22:14:2f:63:37:c8:1e:98:61:13:d0:
  + ca:8e:69:e3:05:82:ce:76:3e:1a:c9:cb:f8:e2:31:
  + e7:38:67:3e:c2:f0:35:26:ab:25:eb:4b:77:c2:09:
  + ac:fb:32:53:89:6c:00:04:b7:70:ce:03:00:6b:bc:
  + b1:2f:2a:15:d3:e3:e2:55:0b:9d:ea:4f:bc:66:82:
  + 05:73
  Exponent: 65537 (0x10001)
  X509v3 extensions:
• X509v3 Key Usage: critical
• Certificate Sign
• X509v3 Basic Constraints: critical
  + X509v3 Subject Key Identifier:
  + 39:46:06:B5:4C:A1:7A:EC:4E:E2:51:9E:E0:EA:75:CB:C3:55:A1:A8
  + X509v3 Authority Key Identifier:
  + keyid:39:46:06:B5:4C:A1:7A:EC:4E:E2:51:9E:E0:EA:75:CB:C3:55:A1:A8
  +
  + X509v3 Basic Constraints:
  CA:TRUE
  Signature Algorithm: sha256WithRSAEncryption
• 5b:ea:ed:91:ff:a9:cb:5b:6a:d3:15:67:ba:90:c0:91:b3:db:
• e8:fe:e2:28:73:f0:5a:5d:05:39:8f:e4:15:26:0e:44:e9:6c:
• 82:62:f3:09:30:ed:8b:20:4a:a3:7b:ad:8a:a7:e4:d4:b4:31:
• 8a:d5:5e:1f:8b:b6:5c:03:fd:c5:4d:77:b4:60:7c:78:ea:2c:
• 97:77:4e:49:5e:13:9b:0b:63:d7:79:63:33:04:64:82:39:0b:
• a4:54:87:89:ff:05:2e:e6:31:9b:de:d7:6b:3b:2b:20:07:dc:
• a8:61:1e:8c:2b:21:12:84:a7:ed:58:48:b2:1d:a1:d6:ca:58:
• 7b:a4:f2:0a:d1:82:e6:d6:6e:f9:5d:30:96:aa:43:cf:3c:2a:
• 55:61:19:08:50:ae:04:98:5f:29:85:28:c1:19:7a:c8:5e:64:
• 2a:aa:d4:c3:d0:4c:cf:ad:19:53:3b:ba:be:2b:8e:a5:f4:4f:
• 73:49:39:6d:ec:b3:6c:0c:26:21:95:85:42:89:02:a5:ed:1c:
• c3:12:db:1f:4f:ef:0e:e5:b0:de:ad:fd:e2:a4:22:54:12:13:
• 7a:9f:f1:69:1c:7b:df:77:73:49:73:7b:17:af:e4:38:57:b9:
• a1:fc:ed:2a:21:5e:43:5f:5f:58:da:5d:62:f3:b5:6f:36:8d:
• 40:cb:78:94
  + 35:72:f2:7c:0b:3b:27:da:e6:05:a9:86:26:f3:d9:96:dc:77:
  + f7:45:b1:cf:32:c5:42:c0:51:01:a1:fa:ae:07:a2:a4:1a:b7:
  + 75:1f:6a:12:30:30:6f:a0:53:17:e4:4e:9a:d4:33:5f:e7:e3:
  + b2:d0:91:ac:9c:42:b6:8f:56:b4:2f:0a:bd:74:dd:45:f2:23:
  + 7c:20:99:8e:1b:48:38:12:aa:47:11:38:28:95:7f:44:17:ef:
  + f7:10:f9:97:28:ed:08:f0:90:97:72:1a:e8:c4:9f:e3:63:7e:
  + 69:b0:0a:58:27:54:e8:a0:a8:8c:0f:16:07:d6:21:48:2c:f3:
  + 6b:76:90:6c:f4:f3:77:6e:8e:0b:f2:5b:94:9a:55:82:db:ac:
  + e5:ff:08:2f:30:ac:cf:ea:5b:32:29:a0:4e:48:72:02:e8:58:
  + 46:9a:49:69:0d:b8:00:f8:a3:b0:40:bd:f8:62:1a:54:a3:e0:
  + e4:8c:16:ae:88:8f:a2:3f:90:5c:da:6c:86:eb:ea:55:04:17:
  + bc:66:91:8a:ae:33:a1:29:f1:c4:02:73:fb:0f:2d:8e:b0:d6:
  + 71:ff:36:e9:53:75:e0:82:fe:fc:29:aa:96:0f:eb:21:f0:79:
  + 08:77:70:54:87:d6:c2:9b:86:07:ae:aa:fd:48:8f:7a:06:4c:
  + 36:cf:1a:de
  FAIL