Bug Description

The external control plane installation instructions start by installing Istio on the external control plane cluster using the default profile. This istiod will be used to control an ingress gateway that will provide access to the (yet to be installed) external control plane. After this installation step there are two mutatingwebhookconfigurations on the external cluster:

1. istio-revision-tag-default
2. istio-sidecar-injector (this one seems to be disabled with istio.io/deactivated: never-match ???)

Injection is working fine using the istio-revision-tag-default webhook at this point.

Later in the instructions we install istiod again on the same cluster, but in a different namespace, external-istiod. This istiod is the external control plane that is configured with remote keys to manage a remote config cluster. The IOP for this install includes operatorManageWebhooks: true because it is not supposed to manage local webhooks.

However, as of Istio 1.12, the second install seems to be creating a new webhook on the local configuration, istio-revision-tag-default-external-istiod and also seems to be deleting the correct local webhook, istio-revision-tag-default.
At this point injection is broken on the local cluster, because it's pointing to the wrong istiod.

It seems that there is code that is doing all this management that should not be if operatorManageWebhooks: true?

Version

1.12+

Additional Information

No response