Webhook Custom CA

[leotomas837]

Is there any way to inject a custom CA for the webhook ? I can see these in the values.yaml:

...
# -- Optional extra volume mounts. Useful for mounting custom root CAs
volumeMounts: []
#- name: my-volume-mount
#  mountPath: /etc/approver-policy/secrets

# -- Optional extra volumes.
volumes: []
#- name: my-volume
#  secret:
#    secretName: my-secret
...

Then these volumes are mounted in the webhook container, here:

...
       {{- if .Values.volumeMounts }}
        volumeMounts:
{{ toYaml .Values.volumeMounts | indent 10 }}
        {{- end }}

        resources:
          {{- toYaml .Values.resources | indent 12 }}

      {{- if .Values.volumes }}
      volumes:
{{ toYaml .Values.volumes | indent 6 }}
      {{- end }}

But the mounted volumes are never taken into account. In case of an extra arg which would be available to take into account the mounted CAs, I checked the cert-manager-approver-policy bin options available here, but I don't see anything for this purpose.

Instead in the Go code, it uses the default and unique behaviour, which is currently to generate a self-signed CA dynamically, see the cert-manager authority pkg.

Am I missing something obvious or there is currently no mechanism to assign a custom webhook CA ? (It must feed secret cert-manager-approver-policy-tls as the ValidatingWebhookConfiguration is injecting the CA from the secret thanks to cert-manager-cainjector, see here).