-
Bug
-
Resolution: Done
-
Undefined
-
None
-
OSSM 2.6.12
-
None
-
False
-
-
False
-
-
Description:
When OSSM 2 Operator and Istio (community or OSSM 3) are installed at the same time, then both update CA bundle in the validation webhook indefinitely. Important: this happens only if cacerts secret is configured.
Impact:
When both the SMCP operator and Istiod reconcile the same Istio validation webhook, they continuously overwrite each other’s configuration, causing a reconciliation loop. This results in frequent webhook updates on the API server, increasing control-plane churn and API server load. Users may observe degraded cluster performance, excessive event noise, and unstable validation behavior for Istio resources.
Root cause:
In OSSM 2, management of the validation webhook is delegated to the operator, whereas in OSSM 3 the webhook is owned and reconciled by Istiod. The OSSM 2 operator determines webhook ownership using name-based matching (istio-validator-*), which unintentionally matches webhooks installed by OSSM 2 and OSSM 3.
Desired behavior:
OSSM 2 should only reconcile its own validation webhooks.
Solutions:
1. Select webhooks using the `istio.io/rev=${SMCP_NAME}` label. This approach is difficult to implement with the current design because the webhookca controller does not track created SMCPs and therefore does not know which revision names it should reconcile. Additionally, the validating webhook may be created before the corresponding SMCP exists; in that case, the controller would not detect or update the webhook, leading to incomplete or incorrect reconciliation.
2. Implement watch predicate that relies on webhooks spec, e.g. namespace selectors, which include maistra.io labels. Easy, but not common solution. Does not require any labels, performance impact is negligible.
3. Add `maistra.io/managed: "true"` to the validating webhook and implement watch predicate that relies on that label. Easy, clean and common implementation, but introduces a new label.
Workaround:
OSSM 3 users can disable managing validation webhook for the migration period setting `spec.values.pilot.env["VALIDATION_WEBHOOK_CONFIG_NAME"]=""`.
Steps to reproduce:
1. Create namespace:
kubectl create ns istio-system kubectl create secret generic cacerts -n istio-system \ --from-file=root-cert.pem=root-cert.pem \ --from-file=ca-cert.pem=ca-cert.pem \ --from-file=ca-key.pem=ca-key.pem \ --from-file=cert-chain.pem=cert-chain.pem
2. Create SMCP:
kubectl apply -f - <<EOF
apiVersion: maistra.io/v2
kind: ServiceMeshControlPlane
metadata:
name: basic
namespace: istio-system
spec:
mode: ClusterWide
version: v2.6
addons:
grafana:
enabled: false
kiali:
enabled: false
prometheus:
enabled: false
tracing:
type: None
general:
logging:
componentLevels:
default: info
proxy:
accessLogging:
file:
name: /dev/stdout
security:
identity:
type: ThirdParty
gateways:
ingress:
enabled: false
egress:
enabled: false
EOF
3. Install Istio CNI:
kubectl create ns istio-cni kubectl apply -n istio-cni -f - <<EOF apiVersion: sailoperator.io/v1 kind: IstioCNI metadata: name: default spec: version: v1.27.3 namespace: istio-cni EOF
4. Install Istio:
kubectl apply -f - <<EOF
apiVersion: sailoperator.io/v1
kind: Istio
metadata:
name: default
spec:
namespace: istio-system
version: v1.27.3
updateStrategy:
type: RevisionBased
values:
meshConfig:
accessLogFile: /dev/stdout
EOF
Logs verification:
istiod-default-v1-27-3 pod:
2026-01-19T11:42:08.435676Z info validationController successfully updated name=istio-validator-default-v1-27-3-istio-system resource version=1103817
istiod-basic pod:
2026-01-19T11:42:12.084220Z info ads XDS: Incremental Pushing ConnectedEndpoints:0 Version:2026-01-19T11:42:08Z/4 2026-01-19T11:42:12.568402Z info ads Push debounce stable[17] 2 for config Secret/istio-system/sh.helm.release.v1.default-v1-27-3-istiod.v6 and 1 more configs: 101.003306ms since last change, 145.618354ms since last push, full=false
istio-operator pod:
{"level":"info","ts":1768822928.332678,"logger":"webhookca-controller","msg":"reconciling WebhookConfiguration","WebhookConfig":"validating/istio-validator-default-v1-27-3-istio-system"}
{"level":"info","ts":1768822928.3327565,"logger":"webhookca-controller","msg":"Updating CABundle","WebhookConfig":"validating/istio-validator-default-v1-27-3-istio-system"}
{"level":"info","ts":1768822928.3387244,"logger":"webhookca-controller","msg":"CABundle updated","WebhookConfig":"validating/istio-validator-default-v1-27-3-istio-system"}
{"level":"info","ts":1768822928.338826,"logger":"webhookca-controller","msg":"reconciling WebhookConfiguration","WebhookConfig":"validating/istio-validator-default-v1-27-3-istio-system"}
{"level":"info","ts":1768822928.338884,"logger":"webhookca-controller","msg":"Correct CABundle already present. Ignoring","WebhookConfig":"validating/istio-validator-default-v1-27-3-istio-system"}
servicemesh-operator3 pod:
2026-01-19T11:43:56Z INFO ctrlr.istiorev Installing Helm chart {"IstioRevision": "default-v1-27-3", "reconcileID": "ef362540-f18a-4613-8776-d6a94dc56306"}
2026-01-19T11:43:57Z INFO ctrlr.istiorev Reconciliation done. Updating status. {"IstioRevision": "default-v1-27-3", "reconcileID": "ef362540-f18a-4613-8776-d6a94dc56306"}