cert-manager · zeusal · Oct 2, 2025 · Oct 2, 2025 · Oct 2, 2025 · Oct 2, 2025
diff --git a/deploy/charts/trust-manager/templates/webhook.yaml b/deploy/charts/trust-manager/templates/webhook.yaml
@@ -94,7 +94,13 @@ metadata:
   {{- if or (not .Values.app.webhook.tls.helmCert.enabled) .Values.commonAnnotations }}
   annotations:
     {{- if not .Values.app.webhook.tls.helmCert.enabled }}
+      {{- if eq .Values.app.webhook.tls.injectCaFrom "certificate" }}
     cert-manager.io/inject-ca-from: "{{ include "trust-manager.namespace" . }}/{{ include "trust-manager.name" . }}"
+      {{- else if eq .Values.app.webhook.tls.injectCaFrom "secret" }}
+    cert-manager.io/inject-ca-from-secret: "{{ include "trust-manager.namespace" . }}/{{ include "trust-manager.name" . }}-tls"
+      {{- else }}
+    {{- fail "Invalid value for .app.webhook.injectCaFrom (must be 'certificate' or 'secret')" }}
+      {{- end }}
     {{- end }}
     {{- with .Values.commonAnnotations }}
     {{- toYaml . | nindent 4 }}

diff --git a/deploy/charts/trust-manager/values.schema.json b/deploy/charts/trust-manager/values.schema.json
@@ -453,6 +453,9 @@
         },
         "helmCert": {
           "$ref": "#/$defs/helm-values.app.webhook.tls.helmCert"
+        },
+        "injectCaFrom": {
+          "$ref": "#/$defs/helm-values.app.webhook.tls.injectCaFrom"
         }
       },
       "type": "object"
@@ -514,6 +517,11 @@
       "description": "Whether to issue a webhook cert using Helm, which removes the need to install cert-manager. Helm-issued certificates can be challenging to rotate and maintain, and the issued cert will have a duration of 10 years and be modified when trust-manager is updated. It's safer and easier to rely on cert-manager for issuing the webhook cert - avoid using Helm-generated certs in production.",
       "type": "boolean"
     },
+    "helm-values.app.webhook.tls.injectCaFrom": {
+      "default": "certificate",
+      "description": "This allows running cainjector with --enable-certificates-data-source=false, which follows cert-manager best practices by disabling unused data sources. Valid values are certificate or secret",
+      "type": "string"
+    },
     "helm-values.automountServiceAccountToken": {
       "default": true,
       "description": "Automounting API credentials for the trust-manager pod.",

diff --git a/deploy/charts/trust-manager/values.yaml b/deploy/charts/trust-manager/values.yaml
@@ -299,6 +299,10 @@ app:
         # The name of cert-manager's Service Account. Only used if `app.webhook.tls.approverPolicy.enabled` is true.
         certManagerServiceAccount: "cert-manager"
 
+      # Added option to inject CA from Secret instead of Certificate.
+      # This allows running cainjector with --enable-certificates-data-source=false, which follows cert-manager best practices by disabling unused data sources.
+      injectCaFrom: "certificate"
+
       # Add labels/annotations to secrets created by Certificate resources when using cert-manager provisioned TLS certificate.
       certificate:
         secretTemplate: {}