Ensure the cert-manager cainjector component is deployed in the cert-manager namespace
Create a cert-manager Certificate resource for the webhook's TLS with spec.secretName=webhook-tls-secret issued by an internal ClusterIssuer
Annotate the ValidatingWebhookConfiguration (or MutatingWebhookConfiguration) with 'cert-manager.io/inject-ca-from: <namespace>/<certificate-name>'
The cainjector watches for this annotation, reads the CA from the certificate's secret, and injects it into the webhookConfiguration's clientConfig.caBundle field automatically
For CRDs with conversion webhooks, annotate the CRD with 'cert-manager.io/inject-ca-from: <namespace>/<certificate-name>' and the cainjector injects into spec.conversion.webhook.clientConfig.caBundle
Verify injection: 'kubectl get validatingwebhookconfiguration <name> -o jsonpath={.webhooks[0].clientConfig.caBundle}' should return a base64-encoded CA cert
Known gotchas
The cainjector only injects from Certificate resources, not from externally managed secrets; if using an external cert provider, you must run a separate controller or inject the CA bundle manually
cainjector reads the CA from the 'ca.crt' key in the TLS secret, not 'tls.crt'; if the issuer does not populate ca.crt (e.g., ACME issuers typically don't), injection produces an empty caBundle
Annotation format is '<namespace>/<certificate-resource-name>' where the namespace is where the Certificate resource lives, not the secret; a common mistake is using the secret name instead of the Certificate name
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp