Is this the right place to submit this?

• This is not a security vulnerability or a crashing bug
• This is not a question about how to use Istio

Bug Description

Hi team,

we're currently trying to adopt istio to achieve full service mesh (ambient mode). However, one big step before doing this is we need to have a good Public Key Infrastructure to manage the certificate. By default, istiod use the certificate from secret istio-ca-certs in istio-system namespace. However, when I switch it to use cacerts as custom CA (Root CA in aws private ca -> subordinate CA (cacerts created by cert-manager)), even with mTLS disabled, I need to forcily restart all the workloads so they can communicate with each other. The error are just 503 complaining about upstream connect error or disconnect/reset before headers.

I am not sure if this is a bug or it's working as expected. I couldn't find any doc regarding how I should do this without disrupting production cluster, so need some help or guidance here, thanks a lot!
(I am also happy to write a doc and contribute once I have a good solution)

Version

istio:
client version 1.22.4
istiod version 1.22.4


kubectl:
1.30 EKS cluster

Additional Information

No response