By default, istiod will create a ConfigMap istio-ca-root-cert in every namespace it watches (this depends on the discoverySelectors), so that any proxy that might be injected in those namespaces has istiod's CA root certificate. This is needed for the proxies to verify the istiod's certificate when performing the initial connection.

In the Gateway API support use case for OCP, no 'normal' sidecar injections are planned. The only injection that needs to happen is Gateway injection based on k8s Gateway API resources. Because of this, we want to avoid the creation of potentially unneeded ConfigMaps in the entire cluster.

The long-term solution to this problem will be the migration to ClusterTrustBundles, which is a WIP upstream. However, ClusterTrustBundles are only v1beta1 from K8s 1.33 (OCP 4.20) so we need an interim solution.

AC:

• add a flag that will cause istiod to only create ConfigMaps in namespaces where there are k8s Gateways with the correct GatewayClass (e.g. "openshift")