The OSSM pilot image has `/tmp` as it's working directory in contrast to upstream which has `/` as it's working directory.

This has consequences for 1. Custom Root Certs which affects multi-cluster and 2. istio-csr / certmanager integration. Pilot expects certificates to be mounted at `./<path-to-cert>`. See https://github.com/istio/istio/blob/226f8b845d37b354a21eb2373fa5a6951f2b5ac3/pkg/config/constants/constants.go#L26-L33 and https://istio.io/latest/docs/reference/commands/pilot-discovery/#envvars --> ROOT_CA_DIR defaults. Without manually specifying overrides, both these integrations do not work when you are using the OSSM pilot image.

You can specify overrides for these though like so:

```

    pilot:
      env:
        ENABLE_CA_SERVER: "false"
        ROOT_CA_DIR: /etc/cacerts
      volumeMounts:
        - mountPath: /tmp/var/run/secrets/istiod/tls
          name: istio-csr-dns-cert
          readOnly: true
      volumes:
        - name: istio-csr-dns-cert
          secret:
            optional: true
            secretName: istiod-tls

```