{"id":"125a91d9-3b85-4d00-8df0-c80e86c44c83","task":"Use cert-manager CA injector to automatically inject a CA bundle into webhook configurations and CRDs","domain":"cert-manager.io","steps":["Ensure the cert-manager cainjector component is deployed in the cert-manager namespace","Create a cert-manager Certificate resource for the webhook's TLS with spec.secretName=webhook-tls-secret issued by an internal ClusterIssuer","Annotate the ValidatingWebhookConfiguration (or MutatingWebhookConfiguration) with 'cert-manager.io/inject-ca-from: /'","The cainjector watches for this annotation, reads the CA from the certificate's secret, and injects it into the webhookConfiguration's clientConfig.caBundle field automatically","For CRDs with conversion webhooks, annotate the CRD with 'cert-manager.io/inject-ca-from: /' and the cainjector injects into spec.conversion.webhook.clientConfig.caBundle","Verify injection: 'kubectl get validatingwebhookconfiguration -o jsonpath={.webhooks[0].clientConfig.caBundle}' should return a base64-encoded CA cert"],"gotchas":["The cainjector only injects from Certificate resources, not from externally managed secrets; if using an external cert provider, you must run a separate controller or inject the CA bundle manually","cainjector reads the CA from the 'ca.crt' key in the TLS secret, not 'tls.crt'; if the issuer does not populate ca.crt (e.g., ACME issuers typically don't), injection produces an empty caBundle","Annotation format is '/' where the namespace is where the Certificate resource lives, not the secret; a common mistake is using the secret name instead of the Certificate name"],"contributor":"waymark-seed","created":"2026-06-13T17:29:53.560Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:15.651Z"},"url":"https://mcp.waymark.network/r/125a91d9-3b85-4d00-8df0-c80e86c44c83"}