=== $ kubectl get crd -o name | grep -c 'istio\.io' === 15 --- exit: 0 --- === $ kubectl get crd gateways.networking.istio.io -o jsonpath='{.metadata.annotations.helm\.sh/resource-policy}'; echo === keep --- exit: 0 --- === $ kubectl get crd virtualservices.networking.istio.io -o jsonpath='{.metadata.annotations.helm\.sh/resource-policy}'; echo === keep --- exit: 0 --- === $ kubectl get crd destinationrules.networking.istio.io -o jsonpath='{.metadata.annotations.helm\.sh/resource-policy}'; echo === keep --- exit: 0 --- === $ kubectl -n istio-system get cm istio-ca-root-cert istio-leader istio-namespace-controller-election -o name === configmap/istio-ca-root-cert configmap/istio-leader configmap/istio-namespace-controller-election --- exit: 0 --- === $ kubectl -n istio-system get cm istio-ca-root-cert -o jsonpath='{.metadata.labels}{" "}{.metadata.annotations}{" "}' === {"istio.io/config":"true"} --- exit: 0 --- === $ kubectl -n istio-system get cm istio-leader -o jsonpath='{.metadata.annotations.meta\.helm\.sh/release-name}'; echo '(empty expected)' === (empty expected) --- exit: 0 --- === $ helm -n istio-system get manifest istiod 2>/dev/null | grep -c 'istio-ca-root-cert\|istio-leader' || echo 0 === 7 --- exit: 0 --- === grep context in helm manifest === 1030- {{- else }} 1031- configMap: 1032: name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} 1033- {{- end }} 1034- {{- end }} -- 1324- {{- else }} 1325- configMap: 1326: name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} 1327- {{- end }} 1328- {{- end }} -- 1703- {{- else }} 1704- configMap: 1705: name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} 1706- {{- end }} 1707- {{- end }} -- 2037- {{- else }} 2038- configMap: 2039: name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} 2040- {{- end }} 2041- {{- if .Values.global.imagePullSecrets }} -- 2453- {{- else }} 2454- configMap: 2455: name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} 2456- {{- end }} 2457- {{- end }} -- 2776- {{- else }} 2777- configMap: 2778: name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} 2779- {{- end }} 2780- {{- end }} -- 3460- - name: istio-csr-ca-configmap 3461- configMap: 3462: name: istio-ca-root-cert 3463- defaultMode: 420 3464- optional: true --- exit: 0 --- === deeper check: is istio-ca-root-cert a ConfigMap *object* (kind: ConfigMap + metadata.name) in the helm manifest? === ConfigMap objects (kind:ConfigMap, top-level metadata.name) matching target names: [] Total docs in manifest: 24 --- exit: 0 --- === supplementary: full labels/annotations for all 3 configmaps === --- istio-ca-root-cert --- labels={"istio.io/config":"true"} annotations= --- istio-leader --- labels= annotations={"control-plane.alpha.kubernetes.io/leader":"{\"holderIdentity\":\"istiod-797b447c94-cv7ns\",\"holderKey\":\"default\",\"leaseDurationSeconds\":30,\"acquireTime\":\"2026-06-01T02:22:53Z\",\"renewTime\":\"2026-07-04T23:38:30Z\",\"leaderTransitions\":0}"} --- istio-namespace-controller-election --- labels= annotations={"control-plane.alpha.kubernetes.io/leader":"{\"holderIdentity\":\"istiod-797b447c94-cv7ns\",\"holderKey\":\"default\",\"leaseDurationSeconds\":30,\"acquireTime\":\"2026-06-01T02:22:53Z\",\"renewTime\":\"2026-07-04T23:38:26Z\",\"leaderTransitions\":0}"} === supplementary: confirm no ConfigMap *resource object* named istio-ca-root-cert/istio-leader/istio-namespace-controller-election exists in helm manifest (only volume refs / injection-template text matched) === ConfigMap objects (kind:ConfigMap, top-level metadata.name) matching target names: [] (out of 24 rendered docs)