From 40cd0aa5a855678001046d2732e0e8536a521433 Mon Sep 17 00:00:00 2001
From: Matt Spilchen <matt.spilchen@vertica.com>
Date: Thu, 20 Oct 2022 14:39:31 -0300
Subject: [PATCH 1/5] Allow webhook CA bundle to be taken from secret

Previously, if you are providing your own certs for the webhook, the CA
bundle had to be specified as a helm chart parameter. This made it
harder to deploy the operator if the cert was generated through a helm
chart too because you won't know what the cert is when you deploy your
app.

This change is to allow the CA cert to be read from the
webhook.tlsSecret. If that secret has the key ca.crt, then it will be
patched in the webhook config by the operator.

The secret that contains the tlsSecret has to provided to the operator
now. An empty string implies the operator will generate the certificate
internally.

Support for deploying without the webhook had to fixed as it was broken
in the prior change that relaxed the cert-manager dependency.

The default name of the tls secret when using cert-manager was updated
to reflect the name chosen when installing with olm.

Some e2e cleanup was added. The custom-cert-webhook had some logging
testing that was moved to its own test. Then I created a copy of
custom-cert-webhook for when the CA bundle is in the secret.
---
 Makefile                                      |   2 -
 cmd/operator/main.go                          |  47 +++++---
 config/default/manager_auth_proxy_patch.yaml  |   1 +
 config/manager/manager.yaml                   |   2 +
 helm-charts/verticadb-operator/README.md      |   4 +-
 .../verticadb-operator/templates/_helpers.tpl |  15 +++
 helm-charts/verticadb-operator/values.yaml    |  12 ++-
 scripts/template-helm-chart.sh                |  12 ++-
 scripts/wait-for-webhook.sh                   | 100 ------------------
 .../05-create-communal-creds.yaml}            |   0
 .../e2e-extra/disable-webhook/10-assert.yaml  |  20 ++++
 .../disable-webhook/10-deploy-operator.yaml   |  17 +++
 .../e2e-extra/disable-webhook/15-assert.yaml  |  27 +++++
 .../disable-webhook}/15-setup-vdb.yaml        |   0
 ...-apply-change-that-webhook-would-deny.yaml |  19 ++++
 .../e2e-extra/disable-webhook/20-assert.yaml  |  19 ++++
 .../disable-webhook/90-errors.yaml}           |   0
 .../90-uninstall-operator.yaml}               |   0
 .../disable-webhook/95-assert.yaml}           |   0
 .../disable-webhook/95-delete-crd.yaml}       |   0
 .../disable-webhook/95-errors.yaml}           |   0
 .../disable-webhook}/99-delete-ns.yaml        |   0
 .../setup-vdb/base/kustomization.yaml         |   0
 .../setup-vdb/base/setup-vdb.yaml             |  31 ++++++
 .../05-assert.yaml                            |   0
 .../05-create-cert.yaml                       |   0
 .../07-create-creds.yaml                      |  18 ++++
 .../10-assert.yaml                            |   0
 .../10-deploy-operator.yaml                   |   0
 .../10-errors.yaml                            |   0
 .../15-setup-vdb.yaml                         |  17 +++
 .../20-assert.yaml                            |   2 +-
 .../20-update-initpolicy.yaml                 |   2 +-
 .../25-assert.yaml                            |   2 +-
 .../25-update-dbname.yaml                     |   2 +-
 .../90-delete-cert.yaml                       |   0
 .../95-errors.yaml                            |  18 ++++
 .../95-uninstall-operator.yaml                |  17 +++
 .../97-assert.yaml                            |  19 ++++
 .../97-delete-cr.yaml                         |  22 ++++
 .../97-errors.yaml                            |  24 +++++
 .../99-delete-ns.yaml                         |  17 +++
 .../README.txt                                |   0
 .../cert.yaml                                 |   0
 .../setup-vdb/base/kustomization.yaml         |  15 +++
 .../setup-vdb/base/setup-vdb.yaml             |  32 ++++++
 .../05-assert.yaml                            |  17 +++
 .../05-create-cert.yaml                       |  17 +++
 .../10-create-creds.yaml                      |  18 ++++
 .../15-assert.yaml                            |  27 +++++
 .../15-deploy-operator.yaml                   |  17 +++
 .../15-errors.yaml                            |  30 ++++++
 .../20-setup-vdb.yaml                         |  17 +++
 .../25-assert.yaml                            |  19 ++++
 .../25-update-initpolicy.yaml                 |  18 ++++
 .../30-assert.yaml                            |  19 ++++
 .../30-update-dbname.yaml                     |  18 ++++
 .../90-delete-cert.yaml                       |  20 ++++
 .../95-errors.yaml                            |  18 ++++
 .../95-uninstall-operator.yaml                |  17 +++
 .../97-assert.yaml                            |  19 ++++
 .../97-delete-cr.yaml                         |  22 ++++
 .../97-errors.yaml                            |  24 +++++
 .../99-delete-ns.yaml                         |  17 +++
 .../README.txt                                |   4 +
 .../cert.yaml                                 |  34 ++++++
 .../setup-vdb/base/kustomization.yaml         |  15 +++
 .../setup-vdb/base/setup-vdb.yaml             |  32 ++++++
 .../05-create-creds.yaml                      |  18 ++++
 .../custom-operator-log-path/10-assert.yaml   |  20 ++++
 .../10-deploy-operator.yaml                   |  17 +++
 .../15-add-patch.yaml}                        |   0
 .../15-assert.yaml}                           |   0
 .../20-check-log-file.yaml}                   |   0
 .../custom-operator-log-path/95-errors.yaml   |  18 ++++
 .../95-uninstall-operator.yaml                |  17 +++
 .../custom-operator-log-path/97-assert.yaml   |  19 ++++
 .../97-delete-cr.yaml                         |  22 ++++
 .../custom-operator-log-path/97-errors.yaml   |  24 +++++
 .../99-delete-ns.yaml                         |  17 +++
 .../setup-vdb/base/kustomization.yaml         |  15 +++
 .../setup-vdb/base/setup-vdb.yaml             |   2 +-
 .../test-logging-patch.yaml                   |   0
 83 files changed, 1035 insertions(+), 128 deletions(-)
 delete mode 100755 scripts/wait-for-webhook.sh
 rename tests/{e2e/custom-cert-webhook/07-create-creds.yaml => e2e-extra/disable-webhook/05-create-communal-creds.yaml} (100%)
 create mode 100644 tests/e2e-extra/disable-webhook/10-assert.yaml
 create mode 100644 tests/e2e-extra/disable-webhook/10-deploy-operator.yaml
 create mode 100644 tests/e2e-extra/disable-webhook/15-assert.yaml
 rename tests/{e2e/custom-cert-webhook => e2e-extra/disable-webhook}/15-setup-vdb.yaml (100%)
 create mode 100644 tests/e2e-extra/disable-webhook/20-apply-change-that-webhook-would-deny.yaml
 create mode 100644 tests/e2e-extra/disable-webhook/20-assert.yaml
 rename tests/{e2e/custom-cert-webhook/95-errors.yaml => e2e-extra/disable-webhook/90-errors.yaml} (100%)
 rename tests/{e2e/custom-cert-webhook/95-uninstall-operator.yaml => e2e-extra/disable-webhook/90-uninstall-operator.yaml} (100%)
 rename tests/{e2e/custom-cert-webhook/97-assert.yaml => e2e-extra/disable-webhook/95-assert.yaml} (100%)
 rename tests/{e2e/custom-cert-webhook/97-delete-cr.yaml => e2e-extra/disable-webhook/95-delete-crd.yaml} (100%)
 rename tests/{e2e/custom-cert-webhook/97-errors.yaml => e2e-extra/disable-webhook/95-errors.yaml} (100%)
 rename tests/{e2e/custom-cert-webhook => e2e-extra/disable-webhook}/99-delete-ns.yaml (100%)
 rename tests/{e2e/custom-cert-webhook => e2e-extra/disable-webhook}/setup-vdb/base/kustomization.yaml (100%)
 create mode 100644 tests/e2e-extra/disable-webhook/setup-vdb/base/setup-vdb.yaml
 rename tests/e2e/{custom-cert-webhook => custom-cert-webhook-cabundle-as-parm}/05-assert.yaml (100%)
 rename tests/e2e/{custom-cert-webhook => custom-cert-webhook-cabundle-as-parm}/05-create-cert.yaml (100%)
 create mode 100644 tests/e2e/custom-cert-webhook-cabundle-as-parm/07-create-creds.yaml
 rename tests/e2e/{custom-cert-webhook => custom-cert-webhook-cabundle-as-parm}/10-assert.yaml (100%)
 rename tests/e2e/{custom-cert-webhook => custom-cert-webhook-cabundle-as-parm}/10-deploy-operator.yaml (100%)
 rename tests/e2e/{custom-cert-webhook => custom-cert-webhook-cabundle-as-parm}/10-errors.yaml (100%)
 create mode 100644 tests/e2e/custom-cert-webhook-cabundle-as-parm/15-setup-vdb.yaml
 rename tests/e2e/{custom-cert-webhook => custom-cert-webhook-cabundle-as-parm}/20-assert.yaml (93%)
 rename tests/e2e/{custom-cert-webhook => custom-cert-webhook-cabundle-as-parm}/20-update-initpolicy.yaml (88%)
 rename tests/e2e/{custom-cert-webhook => custom-cert-webhook-cabundle-as-parm}/25-assert.yaml (93%)
 rename tests/e2e/{custom-cert-webhook => custom-cert-webhook-cabundle-as-parm}/25-update-dbname.yaml (88%)
 rename tests/e2e/{custom-cert-webhook => custom-cert-webhook-cabundle-as-parm}/90-delete-cert.yaml (100%)
 create mode 100644 tests/e2e/custom-cert-webhook-cabundle-as-parm/95-errors.yaml
 create mode 100644 tests/e2e/custom-cert-webhook-cabundle-as-parm/95-uninstall-operator.yaml
 create mode 100644 tests/e2e/custom-cert-webhook-cabundle-as-parm/97-assert.yaml
 create mode 100644 tests/e2e/custom-cert-webhook-cabundle-as-parm/97-delete-cr.yaml
 create mode 100644 tests/e2e/custom-cert-webhook-cabundle-as-parm/97-errors.yaml
 create mode 100644 tests/e2e/custom-cert-webhook-cabundle-as-parm/99-delete-ns.yaml
 rename tests/e2e/{custom-cert-webhook => custom-cert-webhook-cabundle-as-parm}/README.txt (100%)
 rename tests/e2e/{custom-cert-webhook => custom-cert-webhook-cabundle-as-parm}/cert.yaml (100%)
 create mode 100644 tests/e2e/custom-cert-webhook-cabundle-as-parm/setup-vdb/base/kustomization.yaml
 create mode 100644 tests/e2e/custom-cert-webhook-cabundle-as-parm/setup-vdb/base/setup-vdb.yaml
 create mode 100644 tests/e2e/custom-cert-webhook-cabundle-in-secret/05-assert.yaml
 create mode 100644 tests/e2e/custom-cert-webhook-cabundle-in-secret/05-create-cert.yaml
 create mode 100644 tests/e2e/custom-cert-webhook-cabundle-in-secret/10-create-creds.yaml
 create mode 100644 tests/e2e/custom-cert-webhook-cabundle-in-secret/15-assert.yaml
 create mode 100644 tests/e2e/custom-cert-webhook-cabundle-in-secret/15-deploy-operator.yaml
 create mode 100644 tests/e2e/custom-cert-webhook-cabundle-in-secret/15-errors.yaml
 create mode 100644 tests/e2e/custom-cert-webhook-cabundle-in-secret/20-setup-vdb.yaml
 create mode 100644 tests/e2e/custom-cert-webhook-cabundle-in-secret/25-assert.yaml
 create mode 100644 tests/e2e/custom-cert-webhook-cabundle-in-secret/25-update-initpolicy.yaml
 create mode 100644 tests/e2e/custom-cert-webhook-cabundle-in-secret/30-assert.yaml
 create mode 100644 tests/e2e/custom-cert-webhook-cabundle-in-secret/30-update-dbname.yaml
 create mode 100644 tests/e2e/custom-cert-webhook-cabundle-in-secret/90-delete-cert.yaml
 create mode 100644 tests/e2e/custom-cert-webhook-cabundle-in-secret/95-errors.yaml
 create mode 100644 tests/e2e/custom-cert-webhook-cabundle-in-secret/95-uninstall-operator.yaml
 create mode 100644 tests/e2e/custom-cert-webhook-cabundle-in-secret/97-assert.yaml
 create mode 100644 tests/e2e/custom-cert-webhook-cabundle-in-secret/97-delete-cr.yaml
 create mode 100644 tests/e2e/custom-cert-webhook-cabundle-in-secret/97-errors.yaml
 create mode 100644 tests/e2e/custom-cert-webhook-cabundle-in-secret/99-delete-ns.yaml
 create mode 100644 tests/e2e/custom-cert-webhook-cabundle-in-secret/README.txt
 create mode 100644 tests/e2e/custom-cert-webhook-cabundle-in-secret/cert.yaml
 create mode 100644 tests/e2e/custom-cert-webhook-cabundle-in-secret/setup-vdb/base/kustomization.yaml
 create mode 100644 tests/e2e/custom-cert-webhook-cabundle-in-secret/setup-vdb/base/setup-vdb.yaml
 create mode 100644 tests/e2e/custom-operator-log-path/05-create-creds.yaml
 create mode 100644 tests/e2e/custom-operator-log-path/10-assert.yaml
 create mode 100644 tests/e2e/custom-operator-log-path/10-deploy-operator.yaml
 rename tests/e2e/{custom-cert-webhook/11-add-patch.yaml => custom-operator-log-path/15-add-patch.yaml} (100%)
 rename tests/e2e/{custom-cert-webhook/11-assert.yaml => custom-operator-log-path/15-assert.yaml} (100%)
 rename tests/e2e/{custom-cert-webhook/12-check-log-file.yaml => custom-operator-log-path/20-check-log-file.yaml} (100%)
 create mode 100644 tests/e2e/custom-operator-log-path/95-errors.yaml
 create mode 100644 tests/e2e/custom-operator-log-path/95-uninstall-operator.yaml
 create mode 100644 tests/e2e/custom-operator-log-path/97-assert.yaml
 create mode 100644 tests/e2e/custom-operator-log-path/97-delete-cr.yaml
 create mode 100644 tests/e2e/custom-operator-log-path/97-errors.yaml
 create mode 100644 tests/e2e/custom-operator-log-path/99-delete-ns.yaml
 create mode 100644 tests/e2e/custom-operator-log-path/setup-vdb/base/kustomization.yaml
 rename tests/e2e/{custom-cert-webhook => custom-operator-log-path}/setup-vdb/base/setup-vdb.yaml (96%)
 rename tests/e2e/{custom-cert-webhook => custom-operator-log-path}/test-logging-patch.yaml (100%)

diff --git a/Makefile b/Makefile
index 6632ab0b1..b41fcedb0 100644
--- a/Makefile
+++ b/Makefile
@@ -404,10 +404,8 @@ uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified
 deploy-operator: manifests kustomize ## Using helm or olm, deploy the operator in the K8s cluster
 ifeq ($(DEPLOY_WITH), helm)
 	helm install --wait -n $(NAMESPACE) $(HELM_RELEASE_NAME) $(OPERATOR_CHART) --set image.repo=null --set image.name=${OPERATOR_IMG} --set logging.dev=${DEV_MODE} --set image.pullPolicy=$(HELM_IMAGE_PULL_POLICY) --set imagePullSecrets[0].name=priv-reg-cred $(HELM_OVERRIDES)
-	scripts/wait-for-webhook.sh -n $(NAMESPACE) -t 60
 else ifeq ($(DEPLOY_WITH), olm)
 	scripts/deploy-olm.sh -n $(NAMESPACE) $(OLM_TEST_CATALOG_SOURCE)
-	scripts/wait-for-webhook.sh -n $(NAMESPACE) -t 60
 else ifeq ($(DEPLOY_WITH), random)
 ifeq ($(shell (( $$RANDOM % 2 )); echo $$?),0)
 	DEPLOY_WITH=helm $(MAKE) deploy-operator
diff --git a/cmd/operator/main.go b/cmd/operator/main.go
index 20d60ffa6..d435603b4 100644
--- a/cmd/operator/main.go
+++ b/cmd/operator/main.go
@@ -16,6 +16,7 @@
 package main
 
 import (
+	"context"
 	"flag"
 	"fmt"
 	"log"
@@ -73,7 +74,7 @@ type FlagConfig struct {
 	EnableProfiler       bool
 	ServiceAccountName   string
 	PrefixName           string // Prefix of the name of all objects created when the operator was deployed
-	GenerateWebhookCert  bool   // true if the operator needs to generate the webhook cert
+	WebhookCertSecret    string // when this is empty we will generate the webhook cert
 	LogArgs              *Logging
 }
 
@@ -124,8 +125,9 @@ func (fc *FlagConfig) setFlagArgs() {
 		"The name of the serviceAccount to use.")
 	flag.StringVar(&fc.PrefixName, "prefix-name", "verticadb-operator",
 		"The common prefix for all objects created during the operator deployment")
-	flag.BoolVar(&fc.GenerateWebhookCert, "generate-webhook-cert", false,
-		"The operator will generate the cert to be used for the webhook")
+	flag.StringVar(&fc.WebhookCertSecret, "webhook-cert-secret", "",
+		"Specifies the secret that contains the webhook cert. If this option is omitted, "+
+			"then the operator will generate the certificate.")
 	fc.LogArgs = &Logging{}
 	fc.LogArgs.setLoggingFlagArgs()
 }
@@ -153,6 +155,8 @@ func getIsWebhookEnabled() bool {
 		return DefaultEnabled
 	}
 	enabled, err := strconv.ParseBool(enableWebhook)
+	setupLog.Info(fmt.Sprintf("Parsed %s env var", enableWebhook),
+		"value", enableWebhook, "enabled", enabled, "err", err)
 	if err != nil {
 		return DefaultEnabled
 	}
@@ -284,6 +288,31 @@ func addWebhooksToManager(mgr manager.Manager) {
 	}
 }
 
+// setupWebhook will setup the webhook in the manager if enabled
+func setupWebhook(ctx context.Context, mgr manager.Manager, restCfg *rest.Config, flagArgs *FlagConfig) error {
+	if getIsWebhookEnabled() {
+		watchNamespace, err := getWatchNamespace()
+		if err != nil {
+			// We cannot setup webhooks if we are watching multiple namespaces
+			// because the webhook config uses a namespaceSelector.
+			setupLog.Info("Disabling webhook since we are not watching a single namespace")
+			return nil
+		}
+		if flagArgs.WebhookCertSecret == "" {
+			if err := security.GenerateWebhookCert(ctx, &setupLog, restCfg, CertDir, flagArgs.PrefixName, watchNamespace); err != nil {
+				return err
+			}
+		} else {
+			if err := security.PatchWebhookCABundleFromSecret(ctx, &setupLog, restCfg, flagArgs.WebhookCertSecret,
+				flagArgs.PrefixName, watchNamespace); err != nil {
+				return err
+			}
+		}
+		addWebhooksToManager(mgr)
+	}
+	return nil
+}
+
 func main() {
 	flagArgs := &FlagConfig{}
 	flagArgs.setFlagArgs()
@@ -329,17 +358,9 @@ func main() {
 		os.Exit(1)
 	}
 
-	ctx := ctrl.SetupSignalHandler()
 	addReconcilersToManager(mgr, restCfg, flagArgs)
-	if getIsWebhookEnabled() {
-		if flagArgs.GenerateWebhookCert {
-			if err := security.GenerateWebhookCert(ctx, &setupLog, restCfg, CertDir, flagArgs.PrefixName, watchNamespace); err != nil {
-				setupLog.Error(err, "generating webhook cert")
-				os.Exit(1)
-			}
-		}
-		addWebhooksToManager(mgr)
-	}
+	ctx := ctrl.SetupSignalHandler()
+	setupWebhook(ctx, mgr, restCfg, flagArgs)
 
 	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
 		setupLog.Error(err, "unable to set up health check")
diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml
index f2725a103..9ceb8767b 100644
--- a/config/default/manager_auth_proxy_patch.yaml
+++ b/config/default/manager_auth_proxy_patch.yaml
@@ -48,3 +48,4 @@ spec:
         - "--level=info"
         - "--dev=false"
         - "--prefix-name=verticadb-operator"
+        - "--webhook-cert-secret=verticadb-operator-controller-manager-service-cert"
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
index 40ae30fea..48a2ca8c0 100644
--- a/config/manager/manager.yaml
+++ b/config/manager/manager.yaml
@@ -52,6 +52,8 @@ spec:
             valueFrom:
               fieldRef:
                 fieldPath: metadata.namespace
+          - name: ENABLE_WEBHOOKS
+            value: true
       serviceAccountName: controller-manager
       terminationGracePeriodSeconds: 10
       volumes:
diff --git a/helm-charts/verticadb-operator/README.md b/helm-charts/verticadb-operator/README.md
index cbaab7c80..d39594c7a 100644
--- a/helm-charts/verticadb-operator/README.md
+++ b/helm-charts/verticadb-operator/README.md
@@ -9,9 +9,9 @@ This helm chart will install the operator and an admission controller webhook.
 | rbac_proxy_image.name | Image name of Kubernetes RBAC proxy. | kubebuilder/kube-rbac-proxy:v0.13.0 |
 | rbac_proxy_image.repo | Repo server hosting rbac_proxy_image.name | gcr.io |
 | imagePullSecrets | List of Secret names containing login credentials for above repos | null (pull images anonymously) |
-| webhook.caBundle | A PEM encoded CA bundle that will be used to validate the webhook's server certificate.  If unspecified, system trust roots on the apiserver are used. | |
+| webhook.caBundle | A PEM encoded CA bundle that will be used to validate the webhook's server certificate.  This option is deprecated in favour of providing the CA bundle in the webhook.tlsSecret with the ca.crt key. This option will be removed in a future release.| |
 | webhook.certSource | The webhook requires a TLS certificate to work. This parm defines how the cert is supplied. Valid values are:<br><br>- **internal**: The certs are generated internally by the operator prior to starting the managing controller. The generated cert is self-signed. When it expires, the operator pod will need to be restarted in order to generate a new certificate. This is the default.<br><br>- **cert-manager**: The certs are generated using the cert-manager operator.  This operator needs to be deployed before deploying the operator. Deployment of this chart will create a self-signed cert through cert-manager. The advantage of this over 'internal' is that cert-manager will automatically handle private key rotation when the certificate is about to expire.<br><br>- **secret**: The certs are created prior to installation of this chart and are provided to the operator through a secret. This option gives you the most flexibility as it is entirely up to you how the cert is created.  This option requires the webhook.tlsSecret option to be set. For backwards compatibility, if webhook.tlsSecret is set, it is implicit that this mode is selected. | internal |
-| webhook.tlsSecret | The webhook requires a TLS certficate to work. By default we create a cert internally. If you want full control over the cert that is created you can use this parameter to provide it. When set, it is a name of a secret in the same namespace the chart is being installed in.  The secret must have the keys: tls.key and tls.crt. | |
+| webhook.tlsSecret | The webhook requires a TLS certficate to work. By default we create a cert internally. If you want full control over the cert that is created you can use this parameter to provide it. When set, it is a name of a secret in the same namespace the chart is being installed in.  The secret must have the keys: tls.key and tls.crt. It can also include the key ca.crt. When that key is included the operator will patch it in the CA bundle in the webhook configuration.| |
 | webhook.enable | If true, the webhook will be enabled and its configuration is setup by the helm chart. Setting this to false will disable the webhook. The webhook setup needs privileges to add validatingwebhookconfiguration and mutatingwebhookconfiguration, both are cluster scoped. If you do not have necessary privileges to add these configurations, then this option can be used to skip that and still deploy the operator. | true |
 | logging.filePath | The path to the log file. If omitted, all logging will be written to stdout.  | |
 | logging.maxFileSize | The maximum size, in MB, of the logging file before log rotation occurs. This is only applicable if logging to a file. | 500 |
diff --git a/helm-charts/verticadb-operator/templates/_helpers.tpl b/helm-charts/verticadb-operator/templates/_helpers.tpl
index f3588d5ba..207360c8e 100644
--- a/helm-charts/verticadb-operator/templates/_helpers.tpl
+++ b/helm-charts/verticadb-operator/templates/_helpers.tpl
@@ -26,3 +26,18 @@ Choose the webhook certificate source
 {{- .Values.webhook.certSource }}
 {{- end }}
 {{- end }}
+
+{{/*
+Choose the secret that contains the webhook certificate.
+This can be blank if the operator does not get the webhook from a secret (i.e.
+it is generated internally)
+*/}}
+{{- define "vdb-op.certSecret" -}}
+{{- if not (empty .Values.webhook.tlsSecret) }}
+{{- .Values.webhook.tlsSecret }}
+{{- else if eq .Values.webhook.certSource "internal" }}
+{{- "" }}
+{{- else }}
+{{- include "vdb-op.name" . }}-controller-manager-service-cert
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/helm-charts/verticadb-operator/values.yaml b/helm-charts/verticadb-operator/values.yaml
index 134e51edf..e31f0d8ac 100644
--- a/helm-charts/verticadb-operator/values.yaml
+++ b/helm-charts/verticadb-operator/values.yaml
@@ -59,14 +59,20 @@ webhook:
   certSource: internal
   # Use this parameter if you want to provide your own cert. tlsSecret is a
   # name of a secret in the same namespace the chart is being installed in.
-  # The secret must have the keys: tls.key and tls.crt.
+  # The secret must have the keys: tls.key and tls.crt. It can also include the
+  # key ca.crt. When that key is included the operator will patch it into the CA
+  # bundle in the webhook configuration.
   #
   # For backwards compatibility, if this is set, then 'certSource = secret' is
   # implied.
   tlsSecret: ""
   # caBundle is a PEM encoded CA bundle that will be used to validate the
-  # webhook's server certificate.  If unspecified, system trust roots on the
-  # apiserver are used. Use this when providing your own cert.
+  # webhook's server certificate.
+  #
+  # This is another way to provide the CA bundle to be patched with in the
+  # webhook configuration. This approach is deprecated in favour of providing
+  # the CA bundle in the tlsSecret with the ca.crt key. This option will be
+  # removed in a future release.
   caBundle: ""
   # If true, the webhook will be enabled and its configuration is setup by the helm chart. 
   # Setting this to false will disable the webhook. The webhook setup needs privileges to add 
diff --git a/scripts/template-helm-chart.sh b/scripts/template-helm-chart.sh
index c78691ebd..55442d2c8 100755
--- a/scripts/template-helm-chart.sh
+++ b/scripts/template-helm-chart.sh
@@ -53,14 +53,20 @@ cat >>$TEMPLATE_DIR/verticadb-operator-controller-manager-deployment.yaml << END
 {{ end }}
 END
 # 5. Template the tls secret name
-sed -i 's/secretName: webhook-server-cert/secretName: {{ default "webhook-server-cert" .Values.webhook.tlsSecret }}/' $TEMPLATE_DIR/verticadb-operator-controller-manager-deployment.yaml
+for fn in verticadb-operator-controller-manager-deployment.yaml \
+    verticadb-operator-serving-cert-certificate.yaml
+do
+  sed -i 's/secretName: webhook-server-cert/secretName: {{ include "vdb-op.certSecret" . }}/' $TEMPLATE_DIR/$fn
+done
 for fn in $TEMPLATE_DIR/verticadb-operator-controller-manager-deployment.yaml
 do
   # Include the secret only if not using webhook.certSource=internal
   perl -i -0777 -pe 's/(.*- name: cert\n.*secret:\n.*defaultMode:.*\n.*secretName:.*)/\{\{- if or (ne .Values.webhook.certSource "internal") (not (empty .Values.webhook.tlsSecret)) \}\}\n$1\n\{\{- end \}\}/g' $fn
   perl -i -0777 -pe 's/(.*- mountPath: .*\n.*name: cert\n.*readOnly:.*)/\{\{- if or (ne .Values.webhook.certSource "internal") (not (empty .Values.webhook.tlsSecret)) \}\}\n$1\n\{\{- end \}\}/g' $fn
-  # Add the --generate-webhook-cert option when cert generation is internal
-  perl -i -0777 -pe 's/(.*- --prefix-name=.*)/$1\n\{\{- if and (eq .Values.webhook.certSource "internal") (empty .Values.webhook.tlsSecret) \}\}\n        - --generate-webhook-cert\n\{\{- end \}\}/g' $fn
+  # Update the --webhook-cert-secret option to include the actual name of the secret
+  perl -i -0777 -pe 's/(- --webhook-cert-secret=)(.*)/$1\{\{ include "vdb-op.certSecret" . \}\}/g' $fn
+  # Set ENABLE_WEBHOOK according to webhook.enable value
+  perl -i -0777 -pe 's/(name: ENABLE_WEBHOOKS\n.*value:) .*/$1 {{ quote .Values.webhook.enable }}/g' $fn
 done
 for fn in verticadb-operator-selfsigned-issuer-issuer.yaml \
     verticadb-operator-serving-cert-certificate.yaml
diff --git a/scripts/wait-for-webhook.sh b/scripts/wait-for-webhook.sh
deleted file mode 100755
index fbfe0f492..000000000
--- a/scripts/wait-for-webhook.sh
+++ /dev/null
@@ -1,100 +0,0 @@
-#!/bin/bash
-
-# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
-# Licensed under the Apache License, Version 2.0 (the "License");
-# You may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# A script that will wait for the webhook to be fully setup.  There is a small
-# timing window where the pod with the webhook is up and ready, but the webhook
-# is not yet able to accept connections.  See this issue for more details:
-# https://github.com/vertica/vertica-kubernetes/issues/30
-
-SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
-REPO_DIR=$(dirname $SCRIPT_DIR)
-TIMEOUT=30
-
-function usage() {
-    echo "usage: $(basename $0) [-n <namespace>] [-t <seconds>]"
-    echo
-    echo "Options:"
-    echo "  -n <namespace>  Check the webhook in this namespace."
-    echo "  -t <seconds>    Specify the timeout in seconds [defaults: $TIMEOUT]"
-    exit 1
-}
-
-while getopts "n:t:h" opt
-do
-    case $opt in
-        n)
-            NAMESPACE_OPT="-n $OPTARG"
-            ;;
-        t)
-            TIMEOUT=$OPTARG
-            ;;
-        h) 
-            usage
-            ;;
-        \?)
-            echo "ERROR: unrecognized option: -$opt"
-            usage
-            ;;
-    esac
-done
-
-# First ensure the service object for the webhook exists.
-trap "echo 'Failed waiting for webhook service object to exist'" 0 2 3 15
-set -o errexit
-timeout $TIMEOUT bash -c -- "\
-    while ! kubectl get $NAMESPACE_OPT svc --no-headers --selector vertica.com/svc-type=webhook 2> /dev/null | grep -cq 'service'; \
-    do \
-      sleep 0.1; \
-    done"
-set +o errexit
-trap 1> /dev/null
-
-# Next, to validate the webhook exists, we will continually create/delete a
-# VerticaDB.  If it succeeds, then we assume the webhook is up and running.
-# This depends on the webhook config having the 'failurePolicy: Fail' set.
-
-SELECTOR_KEY=vertica.com/use
-SELECTOR_VAL=wait-for-webhook
-SELECTOR=$SELECTOR_KEY=$SELECTOR_VAL
-
-MANIFEST=$(mktemp)
-
-cat <<EOF > $MANIFEST
-apiVersion: vertica.com/v1beta1
-kind: VerticaDB
-metadata:
-  generateName: wait-for-webhook-
-  labels:
-    $SELECTOR_KEY: $SELECTOR_VAL
-spec:
-  image: "vertica/vertica-k8s:latest"
-  initPolicy: ScheduleOnly
-  subclusters:
-  - name: sc1
-    size: 1
-EOF
-
-# Delete old manifests, but likely won't be there so eat the error.
-kubectl delete $NAMESPACE_OPT vdb -l $SELECTOR 2> /dev/null 1> /dev/null || :
-
-trap "kubectl delete $NAMESPACE_OPT vdb -l $SELECTOR; rm $MANIFEST" 0 2 3 15   # Ensure deletion on script exit"
-
-timeout $TIMEOUT bash -c -- "\
-    while ! kubectl create $NAMESPACE_OPT -f $MANIFEST 2> /dev/null; \
-    do \
-      sleep 0.1; \
-    done" &
-pid=$!
-wait $pid
diff --git a/tests/e2e/custom-cert-webhook/07-create-creds.yaml b/tests/e2e-extra/disable-webhook/05-create-communal-creds.yaml
similarity index 100%
rename from tests/e2e/custom-cert-webhook/07-create-creds.yaml
rename to tests/e2e-extra/disable-webhook/05-create-communal-creds.yaml
diff --git a/tests/e2e-extra/disable-webhook/10-assert.yaml b/tests/e2e-extra/disable-webhook/10-assert.yaml
new file mode 100644
index 000000000..fc6dfbf1c
--- /dev/null
+++ b/tests/e2e-extra/disable-webhook/10-assert.yaml
@@ -0,0 +1,20 @@
+# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    control-plane: controller-manager
+status:
+  phase: Running
diff --git a/tests/e2e-extra/disable-webhook/10-deploy-operator.yaml b/tests/e2e-extra/disable-webhook/10-deploy-operator.yaml
new file mode 100644
index 000000000..923d90096
--- /dev/null
+++ b/tests/e2e-extra/disable-webhook/10-deploy-operator.yaml
@@ -0,0 +1,17 @@
+# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: sh -c "cd ../../.. && DEPLOY_WITH=helm HELM_OVERRIDES='--set webhook.enable=false' make deploy-operator NAMESPACE=$NAMESPACE"
diff --git a/tests/e2e-extra/disable-webhook/15-assert.yaml b/tests/e2e-extra/disable-webhook/15-assert.yaml
new file mode 100644
index 000000000..2b6b1248e
--- /dev/null
+++ b/tests/e2e-extra/disable-webhook/15-assert.yaml
@@ -0,0 +1,27 @@
+# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: v-disable-webhook-main
+---
+apiVersion: vertica.com/v1beta1
+kind: VerticaDB
+metadata:
+  name: v-disable-webhook
+spec:
+  kSafety: "0"
+status:
+  subclusters:
+    - installCount: 1
diff --git a/tests/e2e/custom-cert-webhook/15-setup-vdb.yaml b/tests/e2e-extra/disable-webhook/15-setup-vdb.yaml
similarity index 100%
rename from tests/e2e/custom-cert-webhook/15-setup-vdb.yaml
rename to tests/e2e-extra/disable-webhook/15-setup-vdb.yaml
diff --git a/tests/e2e-extra/disable-webhook/20-apply-change-that-webhook-would-deny.yaml b/tests/e2e-extra/disable-webhook/20-apply-change-that-webhook-would-deny.yaml
new file mode 100644
index 000000000..a476a6b8c
--- /dev/null
+++ b/tests/e2e-extra/disable-webhook/20-apply-change-that-webhook-would-deny.yaml
@@ -0,0 +1,19 @@
+# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: vertica.com/v1beta1
+kind: VerticaDB
+metadata:
+  name: v-disable-webhook
+spec:
+  kSafety: "1"
diff --git a/tests/e2e-extra/disable-webhook/20-assert.yaml b/tests/e2e-extra/disable-webhook/20-assert.yaml
new file mode 100644
index 000000000..a476a6b8c
--- /dev/null
+++ b/tests/e2e-extra/disable-webhook/20-assert.yaml
@@ -0,0 +1,19 @@
+# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: vertica.com/v1beta1
+kind: VerticaDB
+metadata:
+  name: v-disable-webhook
+spec:
+  kSafety: "1"
diff --git a/tests/e2e/custom-cert-webhook/95-errors.yaml b/tests/e2e-extra/disable-webhook/90-errors.yaml
similarity index 100%
rename from tests/e2e/custom-cert-webhook/95-errors.yaml
rename to tests/e2e-extra/disable-webhook/90-errors.yaml
diff --git a/tests/e2e/custom-cert-webhook/95-uninstall-operator.yaml b/tests/e2e-extra/disable-webhook/90-uninstall-operator.yaml
similarity index 100%
rename from tests/e2e/custom-cert-webhook/95-uninstall-operator.yaml
rename to tests/e2e-extra/disable-webhook/90-uninstall-operator.yaml
diff --git a/tests/e2e/custom-cert-webhook/97-assert.yaml b/tests/e2e-extra/disable-webhook/95-assert.yaml
similarity index 100%
rename from tests/e2e/custom-cert-webhook/97-assert.yaml
rename to tests/e2e-extra/disable-webhook/95-assert.yaml
diff --git a/tests/e2e/custom-cert-webhook/97-delete-cr.yaml b/tests/e2e-extra/disable-webhook/95-delete-crd.yaml
similarity index 100%
rename from tests/e2e/custom-cert-webhook/97-delete-cr.yaml
rename to tests/e2e-extra/disable-webhook/95-delete-crd.yaml
diff --git a/tests/e2e/custom-cert-webhook/97-errors.yaml b/tests/e2e-extra/disable-webhook/95-errors.yaml
similarity index 100%
rename from tests/e2e/custom-cert-webhook/97-errors.yaml
rename to tests/e2e-extra/disable-webhook/95-errors.yaml
diff --git a/tests/e2e/custom-cert-webhook/99-delete-ns.yaml b/tests/e2e-extra/disable-webhook/99-delete-ns.yaml
similarity index 100%
rename from tests/e2e/custom-cert-webhook/99-delete-ns.yaml
rename to tests/e2e-extra/disable-webhook/99-delete-ns.yaml
diff --git a/tests/e2e/custom-cert-webhook/setup-vdb/base/kustomization.yaml b/tests/e2e-extra/disable-webhook/setup-vdb/base/kustomization.yaml
similarity index 100%
rename from tests/e2e/custom-cert-webhook/setup-vdb/base/kustomization.yaml
rename to tests/e2e-extra/disable-webhook/setup-vdb/base/kustomization.yaml
diff --git a/tests/e2e-extra/disable-webhook/setup-vdb/base/setup-vdb.yaml b/tests/e2e-extra/disable-webhook/setup-vdb/base/setup-vdb.yaml
new file mode 100644
index 000000000..ad2eff716
--- /dev/null
+++ b/tests/e2e-extra/disable-webhook/setup-vdb/base/setup-vdb.yaml
@@ -0,0 +1,31 @@
+# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: vertica.com/v1beta1
+kind: VerticaDB
+metadata:
+  name: v-disable-webhook
+spec:
+  image: kustomize-vertica-image
+  communal:
+    includeUIDInPath: true
+  local:
+    requestSize: 100Mi
+  subclusters:
+    - name: main
+      size: 1
+  kSafety: "0"
+  certSecrets: []
+  imagePullSecrets: []
+  volumes: []
+  volumeMounts: []
diff --git a/tests/e2e/custom-cert-webhook/05-assert.yaml b/tests/e2e/custom-cert-webhook-cabundle-as-parm/05-assert.yaml
similarity index 100%
rename from tests/e2e/custom-cert-webhook/05-assert.yaml
rename to tests/e2e/custom-cert-webhook-cabundle-as-parm/05-assert.yaml
diff --git a/tests/e2e/custom-cert-webhook/05-create-cert.yaml b/tests/e2e/custom-cert-webhook-cabundle-as-parm/05-create-cert.yaml
similarity index 100%
rename from tests/e2e/custom-cert-webhook/05-create-cert.yaml
rename to tests/e2e/custom-cert-webhook-cabundle-as-parm/05-create-cert.yaml
diff --git a/tests/e2e/custom-cert-webhook-cabundle-as-parm/07-create-creds.yaml b/tests/e2e/custom-cert-webhook-cabundle-as-parm/07-create-creds.yaml
new file mode 100644
index 000000000..42005d8c6
--- /dev/null
+++ b/tests/e2e/custom-cert-webhook-cabundle-as-parm/07-create-creds.yaml
@@ -0,0 +1,18 @@
+# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: kustomize build ../../manifests/communal-creds/overlay | kubectl apply -f - --namespace $NAMESPACE
+  - script: kustomize build ../../manifests/priv-container-creds/overlay | kubectl apply -f - --namespace $NAMESPACE
diff --git a/tests/e2e/custom-cert-webhook/10-assert.yaml b/tests/e2e/custom-cert-webhook-cabundle-as-parm/10-assert.yaml
similarity index 100%
rename from tests/e2e/custom-cert-webhook/10-assert.yaml
rename to tests/e2e/custom-cert-webhook-cabundle-as-parm/10-assert.yaml
diff --git a/tests/e2e/custom-cert-webhook/10-deploy-operator.yaml b/tests/e2e/custom-cert-webhook-cabundle-as-parm/10-deploy-operator.yaml
similarity index 100%
rename from tests/e2e/custom-cert-webhook/10-deploy-operator.yaml
rename to tests/e2e/custom-cert-webhook-cabundle-as-parm/10-deploy-operator.yaml
diff --git a/tests/e2e/custom-cert-webhook/10-errors.yaml b/tests/e2e/custom-cert-webhook-cabundle-as-parm/10-errors.yaml
similarity index 100%
rename from tests/e2e/custom-cert-webhook/10-errors.yaml
rename to tests/e2e/custom-cert-webhook-cabundle-as-parm/10-errors.yaml
diff --git a/tests/e2e/custom-cert-webhook-cabundle-as-parm/15-setup-vdb.yaml b/tests/e2e/custom-cert-webhook-cabundle-as-parm/15-setup-vdb.yaml
new file mode 100644
index 000000000..3e10786a3
--- /dev/null
+++ b/tests/e2e/custom-cert-webhook-cabundle-as-parm/15-setup-vdb.yaml
@@ -0,0 +1,17 @@
+# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: bash -c "kustomize build setup-vdb/overlay | kubectl -n $NAMESPACE apply -f - "
diff --git a/tests/e2e/custom-cert-webhook/20-assert.yaml b/tests/e2e/custom-cert-webhook-cabundle-as-parm/20-assert.yaml
similarity index 93%
rename from tests/e2e/custom-cert-webhook/20-assert.yaml
rename to tests/e2e/custom-cert-webhook-cabundle-as-parm/20-assert.yaml
index 9126c27cf..5aefeacdf 100644
--- a/tests/e2e/custom-cert-webhook/20-assert.yaml
+++ b/tests/e2e/custom-cert-webhook-cabundle-as-parm/20-assert.yaml
@@ -14,6 +14,6 @@
 apiVersion: vertica.com/v1beta1
 kind: VerticaDB
 metadata:
-  name: v-custom-cert-webhook
+  name: v-custom-cert-webhook-cabundle-as-parm
 spec:
   initPolicy: Create
diff --git a/tests/e2e/custom-cert-webhook/20-update-initpolicy.yaml b/tests/e2e/custom-cert-webhook-cabundle-as-parm/20-update-initpolicy.yaml
similarity index 88%
rename from tests/e2e/custom-cert-webhook/20-update-initpolicy.yaml
rename to tests/e2e/custom-cert-webhook-cabundle-as-parm/20-update-initpolicy.yaml
index 5f866f081..977f3fdef 100644
--- a/tests/e2e/custom-cert-webhook/20-update-initpolicy.yaml
+++ b/tests/e2e/custom-cert-webhook-cabundle-as-parm/20-update-initpolicy.yaml
@@ -14,5 +14,5 @@
 apiVersion: kuttl.dev/v1beta1
 kind: TestStep
 commands:
-  - script: kubectl -n $NAMESPACE get verticadb v-custom-cert-webhook -o json | jq '.spec.initPolicy="Revive"' | kubectl -n $NAMESPACE replace -f -
+  - script: kubectl -n $NAMESPACE get verticadb v-custom-cert-webhook-cabundle-as-parm -o json | jq '.spec.initPolicy="Revive"' | kubectl -n $NAMESPACE replace -f -
     ignoreFailure: true
diff --git a/tests/e2e/custom-cert-webhook/25-assert.yaml b/tests/e2e/custom-cert-webhook-cabundle-as-parm/25-assert.yaml
similarity index 93%
rename from tests/e2e/custom-cert-webhook/25-assert.yaml
rename to tests/e2e/custom-cert-webhook-cabundle-as-parm/25-assert.yaml
index 0394e47cc..98dc28810 100644
--- a/tests/e2e/custom-cert-webhook/25-assert.yaml
+++ b/tests/e2e/custom-cert-webhook-cabundle-as-parm/25-assert.yaml
@@ -14,6 +14,6 @@
 apiVersion: vertica.com/v1beta1
 kind: VerticaDB
 metadata:
-  name: v-custom-cert-webhook
+  name: v-custom-cert-webhook-cabundle-as-parm
 spec:
   dbName: vertdb
diff --git a/tests/e2e/custom-cert-webhook/25-update-dbname.yaml b/tests/e2e/custom-cert-webhook-cabundle-as-parm/25-update-dbname.yaml
similarity index 88%
rename from tests/e2e/custom-cert-webhook/25-update-dbname.yaml
rename to tests/e2e/custom-cert-webhook-cabundle-as-parm/25-update-dbname.yaml
index 69459f8e4..9321d1a4a 100644
--- a/tests/e2e/custom-cert-webhook/25-update-dbname.yaml
+++ b/tests/e2e/custom-cert-webhook-cabundle-as-parm/25-update-dbname.yaml
@@ -14,5 +14,5 @@
 apiVersion: kuttl.dev/v1beta1
 kind: TestStep
 commands:
-  - script: kubectl -n $NAMESPACE get verticadb v-custom-cert-webhook -o json | jq '.spec.dbName="NewName"' | kubectl -n $NAMESPACE replace -f -
+  - script: kubectl -n $NAMESPACE get verticadb v-custom-cert-webhook-cabundle-as-parm -o json | jq '.spec.dbName="NewName"' | kubectl -n $NAMESPACE replace -f -
     ignoreFailure: true
diff --git a/tests/e2e/custom-cert-webhook/90-delete-cert.yaml b/tests/e2e/custom-cert-webhook-cabundle-as-parm/90-delete-cert.yaml
similarity index 100%
rename from tests/e2e/custom-cert-webhook/90-delete-cert.yaml
rename to tests/e2e/custom-cert-webhook-cabundle-as-parm/90-delete-cert.yaml
diff --git a/tests/e2e/custom-cert-webhook-cabundle-as-parm/95-errors.yaml b/tests/e2e/custom-cert-webhook-cabundle-as-parm/95-errors.yaml
new file mode 100644
index 000000000..2d2e094b3
--- /dev/null
+++ b/tests/e2e/custom-cert-webhook-cabundle-as-parm/95-errors.yaml
@@ -0,0 +1,18 @@
+# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    control-plane: controller-manager
diff --git a/tests/e2e/custom-cert-webhook-cabundle-as-parm/95-uninstall-operator.yaml b/tests/e2e/custom-cert-webhook-cabundle-as-parm/95-uninstall-operator.yaml
new file mode 100644
index 000000000..674dcbecc
--- /dev/null
+++ b/tests/e2e/custom-cert-webhook-cabundle-as-parm/95-uninstall-operator.yaml
@@ -0,0 +1,17 @@
+# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: sh -c "cd ../../.. && make undeploy-operator NAMESPACE=$NAMESPACE"
diff --git a/tests/e2e/custom-cert-webhook-cabundle-as-parm/97-assert.yaml b/tests/e2e/custom-cert-webhook-cabundle-as-parm/97-assert.yaml
new file mode 100644
index 000000000..fe22a5139
--- /dev/null
+++ b/tests/e2e/custom-cert-webhook-cabundle-as-parm/97-assert.yaml
@@ -0,0 +1,19 @@
+# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: clean-communal
+status:
+  phase: Succeeded
diff --git a/tests/e2e/custom-cert-webhook-cabundle-as-parm/97-delete-cr.yaml b/tests/e2e/custom-cert-webhook-cabundle-as-parm/97-delete-cr.yaml
new file mode 100644
index 000000000..27b82bb6a
--- /dev/null
+++ b/tests/e2e/custom-cert-webhook-cabundle-as-parm/97-delete-cr.yaml
@@ -0,0 +1,22 @@
+# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+delete:
+  - apiVersion: vertica.com/v1beta1
+    kind: VerticaDB
+  - apiVersion: v1
+    kind: PersistentVolumeClaim
+commands:
+  - command: bash -c "kustomize build clean-communal/overlay | kubectl -n $NAMESPACE apply -f - "
diff --git a/tests/e2e/custom-cert-webhook-cabundle-as-parm/97-errors.yaml b/tests/e2e/custom-cert-webhook-cabundle-as-parm/97-errors.yaml
new file mode 100644
index 000000000..415cba0a7
--- /dev/null
+++ b/tests/e2e/custom-cert-webhook-cabundle-as-parm/97-errors.yaml
@@ -0,0 +1,24 @@
+# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apps/v1
+kind: StatefulSet
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: verticadb-operator
+---
+apiVersion: vertica.com/v1beta1
+kind: VerticaDB
diff --git a/tests/e2e/custom-cert-webhook-cabundle-as-parm/99-delete-ns.yaml b/tests/e2e/custom-cert-webhook-cabundle-as-parm/99-delete-ns.yaml
new file mode 100644
index 000000000..4cf81e196
--- /dev/null
+++ b/tests/e2e/custom-cert-webhook-cabundle-as-parm/99-delete-ns.yaml
@@ -0,0 +1,17 @@
+# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl delete ns $NAMESPACE
diff --git a/tests/e2e/custom-cert-webhook/README.txt b/tests/e2e/custom-cert-webhook-cabundle-as-parm/README.txt
similarity index 100%
rename from tests/e2e/custom-cert-webhook/README.txt
rename to tests/e2e/custom-cert-webhook-cabundle-as-parm/README.txt
diff --git a/tests/e2e/custom-cert-webhook/cert.yaml b/tests/e2e/custom-cert-webhook-cabundle-as-parm/cert.yaml
similarity index 100%
rename from tests/e2e/custom-cert-webhook/cert.yaml
rename to tests/e2e/custom-cert-webhook-cabundle-as-parm/cert.yaml
diff --git a/tests/e2e/custom-cert-webhook-cabundle-as-parm/setup-vdb/base/kustomization.yaml b/tests/e2e/custom-cert-webhook-cabundle-as-parm/setup-vdb/base/kustomization.yaml
new file mode 100644
index 000000000..01b927990
--- /dev/null
+++ b/tests/e2e/custom-cert-webhook-cabundle-as-parm/setup-vdb/base/kustomization.yaml
@@ -0,0 +1,15 @@
+# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+resources:
+  - setup-vdb.yaml
diff --git a/tests/e2e/custom-cert-webhook-cabundle-as-parm/setup-vdb/base/setup-vdb.yaml b/tests/e2e/custom-cert-webhook-cabundle-as-parm/setup-vdb/base/setup-vdb.yaml
new file mode 100644
index 000000000..d7bfe41d0
--- /dev/null
+++ b/tests/e2e/custom-cert-webhook-cabundle-as-parm/setup-vdb/base/setup-vdb.yaml
@@ -0,0 +1,32 @@
+# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: vertica.com/v1beta1
+kind: VerticaDB
+metadata:
+  name: v-custom-cert-webhook-cabundle-as-parm
+spec:
+  image: kustomize-vertica-image
+  communal:
+    includeUIDInPath: false
+  local:
+    requestSize: 100Mi
+  dbName: vertdb
+  subclusters:
+    - name: sc1
+      size: 1
+  kSafety: "0"
+  certSecrets: []
+  imagePullSecrets: []
+  volumes: []
+  volumeMounts: []
diff --git a/tests/e2e/custom-cert-webhook-cabundle-in-secret/05-assert.yaml b/tests/e2e/custom-cert-webhook-cabundle-in-secret/05-assert.yaml
new file mode 100644
index 000000000..34c4e2d9f
--- /dev/null
+++ b/tests/e2e/custom-cert-webhook-cabundle-in-secret/05-assert.yaml
@@ -0,0 +1,17 @@
+# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: custom-cert
diff --git a/tests/e2e/custom-cert-webhook-cabundle-in-secret/05-create-cert.yaml b/tests/e2e/custom-cert-webhook-cabundle-in-secret/05-create-cert.yaml
new file mode 100644
index 000000000..f52a27ff6
--- /dev/null
+++ b/tests/e2e/custom-cert-webhook-cabundle-in-secret/05-create-cert.yaml
@@ -0,0 +1,17 @@
+# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: sh -c "envsubst < cert.yaml | kubectl apply -n $NAMESPACE -f -"
diff --git a/tests/e2e/custom-cert-webhook-cabundle-in-secret/10-create-creds.yaml b/tests/e2e/custom-cert-webhook-cabundle-in-secret/10-create-creds.yaml
new file mode 100644
index 000000000..42005d8c6
--- /dev/null
+++ b/tests/e2e/custom-cert-webhook-cabundle-in-secret/10-create-creds.yaml
@@ -0,0 +1,18 @@
+# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: kustomize build ../../manifests/communal-creds/overlay | kubectl apply -f - --namespace $NAMESPACE
+  - script: kustomize build ../../manifests/priv-container-creds/overlay | kubectl apply -f - --namespace $NAMESPACE
diff --git a/tests/e2e/custom-cert-webhook-cabundle-in-secret/15-assert.yaml b/tests/e2e/custom-cert-webhook-cabundle-in-secret/15-assert.yaml
new file mode 100644
index 000000000..157f3f1dd
--- /dev/null
+++ b/tests/e2e/custom-cert-webhook-cabundle-in-secret/15-assert.yaml
@@ -0,0 +1,27 @@
+# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    control-plane: controller-manager
+status:
+  phase: Running
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: verticadb-operator-manager-config
+data:
+  WEBHOOK_CERT_SOURCE: secret
diff --git a/tests/e2e/custom-cert-webhook-cabundle-in-secret/15-deploy-operator.yaml b/tests/e2e/custom-cert-webhook-cabundle-in-secret/15-deploy-operator.yaml
new file mode 100644
index 000000000..7bcf399bc
--- /dev/null
+++ b/tests/e2e/custom-cert-webhook-cabundle-in-secret/15-deploy-operator.yaml
@@ -0,0 +1,17 @@
+# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: cd ../../.. && make deploy-operator DEPLOY_WITH=helm NAMESPACE=$NAMESPACE HELM_OVERRIDES="--set webhook.tlsSecret=custom-cert"
diff --git a/tests/e2e/custom-cert-webhook-cabundle-in-secret/15-errors.yaml b/tests/e2e/custom-cert-webhook-cabundle-in-secret/15-errors.yaml
new file mode 100644
index 000000000..c97de88c1
--- /dev/null
+++ b/tests/e2e/custom-cert-webhook-cabundle-in-secret/15-errors.yaml
@@ -0,0 +1,30 @@
+# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# List of objects that should not be created since we used a custom cert when
+# we deployed the operator.
+
+apiVersion: v1
+kind: Secret
+metadata:
+    name: webhook-server-cert
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+    name: verticadb-operator-serving-cert
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+    name: verticadb-operator-selfsigned-issuer
diff --git a/tests/e2e/custom-cert-webhook-cabundle-in-secret/20-setup-vdb.yaml b/tests/e2e/custom-cert-webhook-cabundle-in-secret/20-setup-vdb.yaml
new file mode 100644
index 000000000..3e10786a3
--- /dev/null
+++ b/tests/e2e/custom-cert-webhook-cabundle-in-secret/20-setup-vdb.yaml
@@ -0,0 +1,17 @@
+# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: bash -c "kustomize build setup-vdb/overlay | kubectl -n $NAMESPACE apply -f - "
diff --git a/tests/e2e/custom-cert-webhook-cabundle-in-secret/25-assert.yaml b/tests/e2e/custom-cert-webhook-cabundle-in-secret/25-assert.yaml
new file mode 100644
index 000000000..2af29c28a
--- /dev/null
+++ b/tests/e2e/custom-cert-webhook-cabundle-in-secret/25-assert.yaml
@@ -0,0 +1,19 @@
+# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: vertica.com/v1beta1
+kind: VerticaDB
+metadata:
+  name: v-custom-cert-webhook-cabundle-in-secret
+spec:
+  initPolicy: Create
diff --git a/tests/e2e/custom-cert-webhook-cabundle-in-secret/25-update-initpolicy.yaml b/tests/e2e/custom-cert-webhook-cabundle-in-secret/25-update-initpolicy.yaml
new file mode 100644
index 000000000..7b5d5d744
--- /dev/null
+++ b/tests/e2e/custom-cert-webhook-cabundle-in-secret/25-update-initpolicy.yaml
@@ -0,0 +1,18 @@
+# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: kubectl -n $NAMESPACE get verticadb v-custom-cert-webhook-cabundle-in-secret -o json | jq '.spec.initPolicy="Revive"' | kubectl -n $NAMESPACE replace -f -
+    ignoreFailure: true
diff --git a/tests/e2e/custom-cert-webhook-cabundle-in-secret/30-assert.yaml b/tests/e2e/custom-cert-webhook-cabundle-in-secret/30-assert.yaml
new file mode 100644
index 000000000..7c1cae6d4
--- /dev/null
+++ b/tests/e2e/custom-cert-webhook-cabundle-in-secret/30-assert.yaml
@@ -0,0 +1,19 @@
+# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: vertica.com/v1beta1
+kind: VerticaDB
+metadata:
+  name: v-custom-cert-webhook-cabundle-in-secret
+spec:
+  dbName: vertdb
diff --git a/tests/e2e/custom-cert-webhook-cabundle-in-secret/30-update-dbname.yaml b/tests/e2e/custom-cert-webhook-cabundle-in-secret/30-update-dbname.yaml
new file mode 100644
index 000000000..4662aa370
--- /dev/null
+++ b/tests/e2e/custom-cert-webhook-cabundle-in-secret/30-update-dbname.yaml
@@ -0,0 +1,18 @@
+# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: kubectl -n $NAMESPACE get verticadb v-custom-cert-webhook-cabundle-in-secret -o json | jq '.spec.dbName="NewName"' | kubectl -n $NAMESPACE replace -f -
+    ignoreFailure: true
diff --git a/tests/e2e/custom-cert-webhook-cabundle-in-secret/90-delete-cert.yaml b/tests/e2e/custom-cert-webhook-cabundle-in-secret/90-delete-cert.yaml
new file mode 100644
index 000000000..432f9fcf8
--- /dev/null
+++ b/tests/e2e/custom-cert-webhook-cabundle-in-secret/90-delete-cert.yaml
@@ -0,0 +1,20 @@
+# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+delete:
+  - apiVersion: cert-manager.io/v1
+    kind: Certificate
+  - apiVersion: cert-manager.io/v1
+    kind: Issuer
diff --git a/tests/e2e/custom-cert-webhook-cabundle-in-secret/95-errors.yaml b/tests/e2e/custom-cert-webhook-cabundle-in-secret/95-errors.yaml
new file mode 100644
index 000000000..2d2e094b3
--- /dev/null
+++ b/tests/e2e/custom-cert-webhook-cabundle-in-secret/95-errors.yaml
@@ -0,0 +1,18 @@
+# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    control-plane: controller-manager
diff --git a/tests/e2e/custom-cert-webhook-cabundle-in-secret/95-uninstall-operator.yaml b/tests/e2e/custom-cert-webhook-cabundle-in-secret/95-uninstall-operator.yaml
new file mode 100644
index 000000000..674dcbecc
--- /dev/null
+++ b/tests/e2e/custom-cert-webhook-cabundle-in-secret/95-uninstall-operator.yaml
@@ -0,0 +1,17 @@
+# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: sh -c "cd ../../.. && make undeploy-operator NAMESPACE=$NAMESPACE"
diff --git a/tests/e2e/custom-cert-webhook-cabundle-in-secret/97-assert.yaml b/tests/e2e/custom-cert-webhook-cabundle-in-secret/97-assert.yaml
new file mode 100644
index 000000000..fe22a5139
--- /dev/null
+++ b/tests/e2e/custom-cert-webhook-cabundle-in-secret/97-assert.yaml
@@ -0,0 +1,19 @@
+# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: clean-communal
+status:
+  phase: Succeeded
diff --git a/tests/e2e/custom-cert-webhook-cabundle-in-secret/97-delete-cr.yaml b/tests/e2e/custom-cert-webhook-cabundle-in-secret/97-delete-cr.yaml
new file mode 100644
index 000000000..27b82bb6a
--- /dev/null
+++ b/tests/e2e/custom-cert-webhook-cabundle-in-secret/97-delete-cr.yaml
@@ -0,0 +1,22 @@
+# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+delete:
+  - apiVersion: vertica.com/v1beta1
+    kind: VerticaDB
+  - apiVersion: v1
+    kind: PersistentVolumeClaim
+commands:
+  - command: bash -c "kustomize build clean-communal/overlay | kubectl -n $NAMESPACE apply -f - "
diff --git a/tests/e2e/custom-cert-webhook-cabundle-in-secret/97-errors.yaml b/tests/e2e/custom-cert-webhook-cabundle-in-secret/97-errors.yaml
new file mode 100644
index 000000000..415cba0a7
--- /dev/null
+++ b/tests/e2e/custom-cert-webhook-cabundle-in-secret/97-errors.yaml
@@ -0,0 +1,24 @@
+# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apps/v1
+kind: StatefulSet
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: verticadb-operator
+---
+apiVersion: vertica.com/v1beta1
+kind: VerticaDB
diff --git a/tests/e2e/custom-cert-webhook-cabundle-in-secret/99-delete-ns.yaml b/tests/e2e/custom-cert-webhook-cabundle-in-secret/99-delete-ns.yaml
new file mode 100644
index 000000000..4cf81e196
--- /dev/null
+++ b/tests/e2e/custom-cert-webhook-cabundle-in-secret/99-delete-ns.yaml
@@ -0,0 +1,17 @@
+# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl delete ns $NAMESPACE
diff --git a/tests/e2e/custom-cert-webhook-cabundle-in-secret/README.txt b/tests/e2e/custom-cert-webhook-cabundle-in-secret/README.txt
new file mode 100644
index 000000000..fb7ed8b8d
--- /dev/null
+++ b/tests/e2e/custom-cert-webhook-cabundle-in-secret/README.txt
@@ -0,0 +1,4 @@
+This test will deploy the webhook using custom certs.  It still uses the
+cert-manager for generation of the certs.  However, instead of the helm chart
+install generating the Certificate/Issue manifests, it is done prior so that we
+can specify the certs as input for the helm chart.
diff --git a/tests/e2e/custom-cert-webhook-cabundle-in-secret/cert.yaml b/tests/e2e/custom-cert-webhook-cabundle-in-secret/cert.yaml
new file mode 100644
index 000000000..d4035e668
--- /dev/null
+++ b/tests/e2e/custom-cert-webhook-cabundle-in-secret/cert.yaml
@@ -0,0 +1,34 @@
+# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This is applied through envsubst so that the $NAMESPACE gets filled in
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: serving-cert
+spec:
+  dnsNames:
+    - verticadb-operator-webhook-service.$NAMESPACE.svc
+    - verticadb-operator-webhook-service.$NAMESPACE.svc.cluster.local
+  issuerRef:
+    kind: Issuer
+    name: selfsigned-issuer
+  secretName: custom-cert
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: selfsigned-issuer
+spec:
+  selfSigned: {}
diff --git a/tests/e2e/custom-cert-webhook-cabundle-in-secret/setup-vdb/base/kustomization.yaml b/tests/e2e/custom-cert-webhook-cabundle-in-secret/setup-vdb/base/kustomization.yaml
new file mode 100644
index 000000000..01b927990
--- /dev/null
+++ b/tests/e2e/custom-cert-webhook-cabundle-in-secret/setup-vdb/base/kustomization.yaml
@@ -0,0 +1,15 @@
+# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+resources:
+  - setup-vdb.yaml
diff --git a/tests/e2e/custom-cert-webhook-cabundle-in-secret/setup-vdb/base/setup-vdb.yaml b/tests/e2e/custom-cert-webhook-cabundle-in-secret/setup-vdb/base/setup-vdb.yaml
new file mode 100644
index 000000000..d78d3d4b1
--- /dev/null
+++ b/tests/e2e/custom-cert-webhook-cabundle-in-secret/setup-vdb/base/setup-vdb.yaml
@@ -0,0 +1,32 @@
+# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: vertica.com/v1beta1
+kind: VerticaDB
+metadata:
+  name: v-custom-cert-webhook-cabundle-in-secret
+spec:
+  image: kustomize-vertica-image
+  communal:
+    includeUIDInPath: false
+  local:
+    requestSize: 100Mi
+  dbName: vertdb
+  subclusters:
+    - name: sc1
+      size: 1
+  kSafety: "0"
+  certSecrets: []
+  imagePullSecrets: []
+  volumes: []
+  volumeMounts: []
diff --git a/tests/e2e/custom-operator-log-path/05-create-creds.yaml b/tests/e2e/custom-operator-log-path/05-create-creds.yaml
new file mode 100644
index 000000000..42005d8c6
--- /dev/null
+++ b/tests/e2e/custom-operator-log-path/05-create-creds.yaml
@@ -0,0 +1,18 @@
+# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: kustomize build ../../manifests/communal-creds/overlay | kubectl apply -f - --namespace $NAMESPACE
+  - script: kustomize build ../../manifests/priv-container-creds/overlay | kubectl apply -f - --namespace $NAMESPACE
diff --git a/tests/e2e/custom-operator-log-path/10-assert.yaml b/tests/e2e/custom-operator-log-path/10-assert.yaml
new file mode 100644
index 000000000..fc6dfbf1c
--- /dev/null
+++ b/tests/e2e/custom-operator-log-path/10-assert.yaml
@@ -0,0 +1,20 @@
+# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    control-plane: controller-manager
+status:
+  phase: Running
diff --git a/tests/e2e/custom-operator-log-path/10-deploy-operator.yaml b/tests/e2e/custom-operator-log-path/10-deploy-operator.yaml
new file mode 100644
index 000000000..7e29ef8e5
--- /dev/null
+++ b/tests/e2e/custom-operator-log-path/10-deploy-operator.yaml
@@ -0,0 +1,17 @@
+# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: cd ../../..  && make deploy-operator DEPLOY_WITH=helm NAMESPACE=$NAMESPACE HELM_OVERRIDES="--set logging.filePath=/logs/try.log"
diff --git a/tests/e2e/custom-cert-webhook/11-add-patch.yaml b/tests/e2e/custom-operator-log-path/15-add-patch.yaml
similarity index 100%
rename from tests/e2e/custom-cert-webhook/11-add-patch.yaml
rename to tests/e2e/custom-operator-log-path/15-add-patch.yaml
diff --git a/tests/e2e/custom-cert-webhook/11-assert.yaml b/tests/e2e/custom-operator-log-path/15-assert.yaml
similarity index 100%
rename from tests/e2e/custom-cert-webhook/11-assert.yaml
rename to tests/e2e/custom-operator-log-path/15-assert.yaml
diff --git a/tests/e2e/custom-cert-webhook/12-check-log-file.yaml b/tests/e2e/custom-operator-log-path/20-check-log-file.yaml
similarity index 100%
rename from tests/e2e/custom-cert-webhook/12-check-log-file.yaml
rename to tests/e2e/custom-operator-log-path/20-check-log-file.yaml
diff --git a/tests/e2e/custom-operator-log-path/95-errors.yaml b/tests/e2e/custom-operator-log-path/95-errors.yaml
new file mode 100644
index 000000000..2d2e094b3
--- /dev/null
+++ b/tests/e2e/custom-operator-log-path/95-errors.yaml
@@ -0,0 +1,18 @@
+# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    control-plane: controller-manager
diff --git a/tests/e2e/custom-operator-log-path/95-uninstall-operator.yaml b/tests/e2e/custom-operator-log-path/95-uninstall-operator.yaml
new file mode 100644
index 000000000..674dcbecc
--- /dev/null
+++ b/tests/e2e/custom-operator-log-path/95-uninstall-operator.yaml
@@ -0,0 +1,17 @@
+# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: sh -c "cd ../../.. && make undeploy-operator NAMESPACE=$NAMESPACE"
diff --git a/tests/e2e/custom-operator-log-path/97-assert.yaml b/tests/e2e/custom-operator-log-path/97-assert.yaml
new file mode 100644
index 000000000..fe22a5139
--- /dev/null
+++ b/tests/e2e/custom-operator-log-path/97-assert.yaml
@@ -0,0 +1,19 @@
+# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: clean-communal
+status:
+  phase: Succeeded
diff --git a/tests/e2e/custom-operator-log-path/97-delete-cr.yaml b/tests/e2e/custom-operator-log-path/97-delete-cr.yaml
new file mode 100644
index 000000000..27b82bb6a
--- /dev/null
+++ b/tests/e2e/custom-operator-log-path/97-delete-cr.yaml
@@ -0,0 +1,22 @@
+# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+delete:
+  - apiVersion: vertica.com/v1beta1
+    kind: VerticaDB
+  - apiVersion: v1
+    kind: PersistentVolumeClaim
+commands:
+  - command: bash -c "kustomize build clean-communal/overlay | kubectl -n $NAMESPACE apply -f - "
diff --git a/tests/e2e/custom-operator-log-path/97-errors.yaml b/tests/e2e/custom-operator-log-path/97-errors.yaml
new file mode 100644
index 000000000..415cba0a7
--- /dev/null
+++ b/tests/e2e/custom-operator-log-path/97-errors.yaml
@@ -0,0 +1,24 @@
+# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apps/v1
+kind: StatefulSet
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: verticadb-operator
+---
+apiVersion: vertica.com/v1beta1
+kind: VerticaDB
diff --git a/tests/e2e/custom-operator-log-path/99-delete-ns.yaml b/tests/e2e/custom-operator-log-path/99-delete-ns.yaml
new file mode 100644
index 000000000..4cf81e196
--- /dev/null
+++ b/tests/e2e/custom-operator-log-path/99-delete-ns.yaml
@@ -0,0 +1,17 @@
+# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl delete ns $NAMESPACE
diff --git a/tests/e2e/custom-operator-log-path/setup-vdb/base/kustomization.yaml b/tests/e2e/custom-operator-log-path/setup-vdb/base/kustomization.yaml
new file mode 100644
index 000000000..01b927990
--- /dev/null
+++ b/tests/e2e/custom-operator-log-path/setup-vdb/base/kustomization.yaml
@@ -0,0 +1,15 @@
+# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+resources:
+  - setup-vdb.yaml
diff --git a/tests/e2e/custom-cert-webhook/setup-vdb/base/setup-vdb.yaml b/tests/e2e/custom-operator-log-path/setup-vdb/base/setup-vdb.yaml
similarity index 96%
rename from tests/e2e/custom-cert-webhook/setup-vdb/base/setup-vdb.yaml
rename to tests/e2e/custom-operator-log-path/setup-vdb/base/setup-vdb.yaml
index 159ff9682..637027d39 100644
--- a/tests/e2e/custom-cert-webhook/setup-vdb/base/setup-vdb.yaml
+++ b/tests/e2e/custom-operator-log-path/setup-vdb/base/setup-vdb.yaml
@@ -14,7 +14,7 @@
 apiVersion: vertica.com/v1beta1
 kind: VerticaDB
 metadata:
-  name: v-custom-cert-webhook
+  name: v-custom-operator-log-path
 spec:
   image: kustomize-vertica-image
   communal:
diff --git a/tests/e2e/custom-cert-webhook/test-logging-patch.yaml b/tests/e2e/custom-operator-log-path/test-logging-patch.yaml
similarity index 100%
rename from tests/e2e/custom-cert-webhook/test-logging-patch.yaml
rename to tests/e2e/custom-operator-log-path/test-logging-patch.yaml

From d30bd2d5fa9d06b04db75fd4faab3f23c16c39be Mon Sep 17 00:00:00 2001
From: Matt Spilchen <matt.spilchen@vertica.com>
Date: Thu, 20 Oct 2022 16:23:42 -0300
Subject: [PATCH 2/5] Address review comments

---
 cmd/operator/main.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/cmd/operator/main.go b/cmd/operator/main.go
index d435603b4..5bbb2b366 100644
--- a/cmd/operator/main.go
+++ b/cmd/operator/main.go
@@ -360,7 +360,10 @@ func main() {
 
 	addReconcilersToManager(mgr, restCfg, flagArgs)
 	ctx := ctrl.SetupSignalHandler()
-	setupWebhook(ctx, mgr, restCfg, flagArgs)
+	if err := setupWebhook(ctx, mgr, restCfg, flagArgs); err != nil {
+		setupLog.Error(err, "unable to setup webhook")
+		os.Exit(1)
+	}
 
 	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
 		setupLog.Error(err, "unable to set up health check")

From 1056b77a29f5382f027e00ce3d1497729e486ce4 Mon Sep 17 00:00:00 2001
From: Matt Spilchen <matt.spilchen@vertica.com>
Date: Fri, 21 Oct 2022 15:46:38 -0300
Subject: [PATCH 3/5] Update e2e failures

---
 tests/e2e/metrics-disabled/05-assert.yaml           | 1 +
 tests/e2e/metrics-no-auth/05-assert.yaml            | 1 +
 tests/e2e/prometheus-service-monitor/10-assert.yaml | 1 +
 tests/e2e/prometheus-service-monitor/20-assert.yaml | 1 +
 4 files changed, 4 insertions(+)

diff --git a/tests/e2e/metrics-disabled/05-assert.yaml b/tests/e2e/metrics-disabled/05-assert.yaml
index d63741c79..b080e6bd1 100644
--- a/tests/e2e/metrics-disabled/05-assert.yaml
+++ b/tests/e2e/metrics-disabled/05-assert.yaml
@@ -30,6 +30,7 @@ spec:
     - --level=info
     - --dev=false
     - --prefix-name=verticadb-operator
+    - --webhook-cert-secret=verticadb-operator-controller-manager-service-cert
 status:
   phase: Running
 ---
diff --git a/tests/e2e/metrics-no-auth/05-assert.yaml b/tests/e2e/metrics-no-auth/05-assert.yaml
index 91844aa7f..24b451ae5 100644
--- a/tests/e2e/metrics-no-auth/05-assert.yaml
+++ b/tests/e2e/metrics-no-auth/05-assert.yaml
@@ -31,6 +31,7 @@ spec:
     - --level=info
     - --dev=true
     - --prefix-name=verticadb-operator
+    - --webhook-cert-secret=verticadb-operator-controller-manager-service-cert
 status:
   phase: Running
 ---
diff --git a/tests/e2e/prometheus-service-monitor/10-assert.yaml b/tests/e2e/prometheus-service-monitor/10-assert.yaml
index 3ad5523eb..9254606f3 100644
--- a/tests/e2e/prometheus-service-monitor/10-assert.yaml
+++ b/tests/e2e/prometheus-service-monitor/10-assert.yaml
@@ -31,6 +31,7 @@ spec:
     - --level=info
     - --dev=false
     - --prefix-name=verticadb-operator
+    - --webhook-cert-secret=verticadb-operator-controller-manager-service-cert
   - name: kube-rbac-proxy
 status:
   phase: Running
diff --git a/tests/e2e/prometheus-service-monitor/20-assert.yaml b/tests/e2e/prometheus-service-monitor/20-assert.yaml
index 604361ec4..c018f15e5 100644
--- a/tests/e2e/prometheus-service-monitor/20-assert.yaml
+++ b/tests/e2e/prometheus-service-monitor/20-assert.yaml
@@ -31,6 +31,7 @@ spec:
     - --level=info
     - --dev=false
     - --prefix-name=verticadb-operator
+    - --webhook-cert-secret=verticadb-operator-controller-manager-service-cert
 status:
   phase: Running
 ---

From f19efc45d9d46e4a0f66de4205715c72b37eca5c Mon Sep 17 00:00:00 2001
From: Matt Spilchen <matt.spilchen@vertica.com>
Date: Fri, 21 Oct 2022 15:56:34 -0300
Subject: [PATCH 4/5] Add changie

---
 changes/unreleased/Changed-20221021-155603.yaml | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 changes/unreleased/Changed-20221021-155603.yaml

diff --git a/changes/unreleased/Changed-20221021-155603.yaml b/changes/unreleased/Changed-20221021-155603.yaml
new file mode 100644
index 000000000..c2a129558
--- /dev/null
+++ b/changes/unreleased/Changed-20221021-155603.yaml
@@ -0,0 +1,5 @@
+kind: Changed
+body: Allow webhook CA bundle to be taken from secret instead of helm chart parameter
+time: 2022-10-21T15:56:03.734031786-03:00
+custom:
+  Issue: "273"

From 682b97c9846b2dbb63e4a52afcb8d28eecec5733 Mon Sep 17 00:00:00 2001
From: Matt Spilchen <matt.spilchen@vertica.com>
Date: Fri, 21 Oct 2022 22:11:47 -0300
Subject: [PATCH 5/5] Add back wait-for-webhook

---
 Makefile                                      |   2 +
 scripts/wait-for-webhook.sh                   | 100 ++++++++++++++++++
 .../e2e-extra/disable-webhook/10-assert.yaml  |   7 ++
 .../disable-webhook/10-deploy-operator.yaml   |   1 +
 4 files changed, 110 insertions(+)
 create mode 100755 scripts/wait-for-webhook.sh

diff --git a/Makefile b/Makefile
index b41fcedb0..6632ab0b1 100644
--- a/Makefile
+++ b/Makefile
@@ -404,8 +404,10 @@ uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified
 deploy-operator: manifests kustomize ## Using helm or olm, deploy the operator in the K8s cluster
 ifeq ($(DEPLOY_WITH), helm)
 	helm install --wait -n $(NAMESPACE) $(HELM_RELEASE_NAME) $(OPERATOR_CHART) --set image.repo=null --set image.name=${OPERATOR_IMG} --set logging.dev=${DEV_MODE} --set image.pullPolicy=$(HELM_IMAGE_PULL_POLICY) --set imagePullSecrets[0].name=priv-reg-cred $(HELM_OVERRIDES)
+	scripts/wait-for-webhook.sh -n $(NAMESPACE) -t 60
 else ifeq ($(DEPLOY_WITH), olm)
 	scripts/deploy-olm.sh -n $(NAMESPACE) $(OLM_TEST_CATALOG_SOURCE)
+	scripts/wait-for-webhook.sh -n $(NAMESPACE) -t 60
 else ifeq ($(DEPLOY_WITH), random)
 ifeq ($(shell (( $$RANDOM % 2 )); echo $$?),0)
 	DEPLOY_WITH=helm $(MAKE) deploy-operator
diff --git a/scripts/wait-for-webhook.sh b/scripts/wait-for-webhook.sh
new file mode 100755
index 000000000..fbfe0f492
--- /dev/null
+++ b/scripts/wait-for-webhook.sh
@@ -0,0 +1,100 @@
+#!/bin/bash
+
+# (c) Copyright [2021-2022] Micro Focus or one of its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# A script that will wait for the webhook to be fully setup.  There is a small
+# timing window where the pod with the webhook is up and ready, but the webhook
+# is not yet able to accept connections.  See this issue for more details:
+# https://github.com/vertica/vertica-kubernetes/issues/30
+
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
+REPO_DIR=$(dirname $SCRIPT_DIR)
+TIMEOUT=30
+
+function usage() {
+    echo "usage: $(basename $0) [-n <namespace>] [-t <seconds>]"
+    echo
+    echo "Options:"
+    echo "  -n <namespace>  Check the webhook in this namespace."
+    echo "  -t <seconds>    Specify the timeout in seconds [defaults: $TIMEOUT]"
+    exit 1
+}
+
+while getopts "n:t:h" opt
+do
+    case $opt in
+        n)
+            NAMESPACE_OPT="-n $OPTARG"
+            ;;
+        t)
+            TIMEOUT=$OPTARG
+            ;;
+        h) 
+            usage
+            ;;
+        \?)
+            echo "ERROR: unrecognized option: -$opt"
+            usage
+            ;;
+    esac
+done
+
+# First ensure the service object for the webhook exists.
+trap "echo 'Failed waiting for webhook service object to exist'" 0 2 3 15
+set -o errexit
+timeout $TIMEOUT bash -c -- "\
+    while ! kubectl get $NAMESPACE_OPT svc --no-headers --selector vertica.com/svc-type=webhook 2> /dev/null | grep -cq 'service'; \
+    do \
+      sleep 0.1; \
+    done"
+set +o errexit
+trap 1> /dev/null
+
+# Next, to validate the webhook exists, we will continually create/delete a
+# VerticaDB.  If it succeeds, then we assume the webhook is up and running.
+# This depends on the webhook config having the 'failurePolicy: Fail' set.
+
+SELECTOR_KEY=vertica.com/use
+SELECTOR_VAL=wait-for-webhook
+SELECTOR=$SELECTOR_KEY=$SELECTOR_VAL
+
+MANIFEST=$(mktemp)
+
+cat <<EOF > $MANIFEST
+apiVersion: vertica.com/v1beta1
+kind: VerticaDB
+metadata:
+  generateName: wait-for-webhook-
+  labels:
+    $SELECTOR_KEY: $SELECTOR_VAL
+spec:
+  image: "vertica/vertica-k8s:latest"
+  initPolicy: ScheduleOnly
+  subclusters:
+  - name: sc1
+    size: 1
+EOF
+
+# Delete old manifests, but likely won't be there so eat the error.
+kubectl delete $NAMESPACE_OPT vdb -l $SELECTOR 2> /dev/null 1> /dev/null || :
+
+trap "kubectl delete $NAMESPACE_OPT vdb -l $SELECTOR; rm $MANIFEST" 0 2 3 15   # Ensure deletion on script exit"
+
+timeout $TIMEOUT bash -c -- "\
+    while ! kubectl create $NAMESPACE_OPT -f $MANIFEST 2> /dev/null; \
+    do \
+      sleep 0.1; \
+    done" &
+pid=$!
+wait $pid
diff --git a/tests/e2e-extra/disable-webhook/10-assert.yaml b/tests/e2e-extra/disable-webhook/10-assert.yaml
index fc6dfbf1c..b41638efe 100644
--- a/tests/e2e-extra/disable-webhook/10-assert.yaml
+++ b/tests/e2e-extra/disable-webhook/10-assert.yaml
@@ -18,3 +18,10 @@ metadata:
     control-plane: controller-manager
 status:
   phase: Running
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: verticadb-operator-controller-manager
+status:
+  readyReplicas: 1
diff --git a/tests/e2e-extra/disable-webhook/10-deploy-operator.yaml b/tests/e2e-extra/disable-webhook/10-deploy-operator.yaml
index 923d90096..468bed34f 100644
--- a/tests/e2e-extra/disable-webhook/10-deploy-operator.yaml
+++ b/tests/e2e-extra/disable-webhook/10-deploy-operator.yaml
@@ -15,3 +15,4 @@ apiVersion: kuttl.dev/v1beta1
 kind: TestStep
 commands:
   - command: sh -c "cd ../../.. && DEPLOY_WITH=helm HELM_OVERRIDES='--set webhook.enable=false' make deploy-operator NAMESPACE=$NAMESPACE"
+    ignoreFailure: true # Ignore because no webhook but make target waits for it