I'm facing the same issue. I have delete and recreated the namespace still having the same problem.

@sonujose @mani0070 To reproduce the problem, can you share detailed instructions (e.g., the commands you use) of how you install Istio and how you deploy an example application? Meanwhile, besides the Azure Kubernetes Engine platform mentioned in the issue, do you also notice this problem on other platforms?

I have the same issue aswell on Azure Kubernetes Engine (v 1.15.7).

# istioctl version
client version: 1.5.0
control plane version: 1.5.0
data plane version: 1.5.0 (17 proxies)

Same log in istiod.
2020-03-30T12:46:54.099810Z warn k8s.io/client-go@v0.17.2/tools/cache/reflector.go:105: watch of *v1.ConfigMap ended with: too old resource version: 3142588 (3143468)

Created the namespace with these commands, istio does not seems to add the configmap istio-ca-root-cert in this namespace. Other namespaces are working as intended.

# kubectl create namespace keycloak
namespace/keycloak created
# kubectl label namespace keycloak istio-injection=enabled
namespace/keycloak labeled
# kubectl describe namespaces keycloak
Name:         keycloak
Labels:       istio-injection=enabled
Annotations:  <none>
Status:       Active

No resource quota.

No LimitRange resource.
# kubectl get configmaps -n keycloak
No resources found in keycloak namespace.
# kubectl get configmaps -n default
NAME                 DATA   AGE
istio-ca-root-cert   1      10d

@lei-tang Deployed Istio using the istioctl tool. Istioctl version (1.5.0) and Kubernetes cluster version (v1.15.7)

 istioctl manifest apply \
     --set values.grafana.enabled=true \
     --set values.prometheus.enabled=true \
     --set values.kiali.enabled=true --set values.kiali.createDemoSecret=true \
     --set values.global.proxy.accessLogFile="/dev/dtdout"

Also deployed the same Istio1.5 in two different aks clusters, and this issue was observed in only one of the cluster. The whole problem started after istiod logged this warning - k8s.io/client-go@v0.17.2/tools/cache/reflector.go:105: watch of *v1.ConfigMap ended with: too old resource version: 3142588

Istiod pod restart fixed the issue
I was able to fix this issue by deleting the istiod pod. On restart everything started working fine, till now no problems. After the istiod restart the configmap was automatically created for all new namespaces.

I'm hitting this issue as well... created 2 random namespaces, and none of them has any configmap created.

istiod.log

cc @howardjohn

I found this one when I pulled the 1.5 release branch on 3/27. I went back to this commit and the ConfigMap was getting created again.

@GregHanson that PR seems entirely unrelated. a restart of istiod also fixes that, do you think it was just "fixed" by a restart not that PR?

confirmed restart of istiod has helped populated istio-ca-root-cert cm for my non-default namespaces.

@howardjohn - I didn't mean this commit was the culprit - just that it must have come in to the release branch sometime after it. I hit the problem on Friday when I pulled, reverted to that commit, deleted and recreated my namespaces, and I wasn't able to reproduce