Optional long-lived CA certificate support for webhook certificates

[isindir]

Is your feature request related to a problem? Please describe.

When using cert-manager to manage webhook certificates, short-lived CA rotation can cause a brief but real failure window.

Specifically, there are cases where:

The webhook Secret has been rotated by cert-manager,
but the application has not yet restarted and is still using the previously loaded ca/key/certificate,
while the MutatingWebhookConfiguration has already been updated with a new CA bundle.

This results in TLS verification errors because the CA bundle injected into the webhook configuration no longer matches the CA that signed the certificate currently loaded by the running webhook process.

Although the window is small is solution like stakater/reloader is used, it can cause intermittent request failures and is difficult to fully eliminate in highly automated environments.

Describe the solution you'd like

Add optional support for long-lived CA certificates when cert-manager is enabled for webhook certificate management.

Default behaviour if only cert-manager is enabled:

   Issuer: {{ fullname }}
     ↓ issues
   Certificate: {{ fullname }}
     ↓ stored in
   Secret: {{ fullname }}-tls-managed

new behaviour if long lived CA is enabled:

   Issuer: {{ fullname }}-selfsigned
     ↓ issues
   Certificate: {{ fullname }}-ca
     ↓ stored in
   Secret: {{ fullname }}-ca-tls
     ↓ used by
   Issuer: {{ fullname }}-ca
     ↓ issues
   Certificate: {{ fullname }}
     ↓ stored in
   Secret: {{ fullname }}-tls-managed

Example values.yaml configuration:

webhook:
  certManager:
    enabled: false
    ...
    longLivedCa:
      # -- Whether to use a long-lived CA certificate
      enabled: false
      # -- Duration of the CA certificate (default: 87600h = 10 years)
      duration: "87600h0m0s"
      # -- Renewal time for CA certificate (default: 720h = 1 month before expiry)
      renewBefore: "720h0m0s"

Expected behavior:

• Feature is disabled by default
• Fully backwards compatible with existing certificate creation options
• When enabled:
  • A long-lived CA certificate is created and managed by cert-manager
  • Leaf certificates can still be rotated normally
  • The CA bundle injected into webhook configurations remains stable across leaf rotations

This allows both to remain valid at the same time, eliminating the CA mismatch window:

• the old, already-loaded certificate
• the newly issued certificate

Describe alternatives you've considered

• Increasing certificate durations globally — not always desirable and may conflict with security policies
• Forcing aggressive webhook restarts — unreliable and operationally complex
• Accepting transient webhook failures — not ideal for production clusters

None of these approaches fully solve the CA bundle mismatch issue as cleanly as a long-lived CA option.

Additional context
This pattern is used successfully in other webhook-based projects to avoid downtime during certificate rotation.
Providing first-class support for a long-lived CA would improve reliability in production environments while keeping secure defaults intact.

PR is on the way (but can only be done after #26 / #25 in full as secret annotations will be needed there as well), will add comment once added: #28

[isindir]

Please review this.