Validating webhooks fail due wrong ca bundle after helm upgrade

[bsctl]

Bug description

Validating webhooks fail due wrong ca bundle after helm upgrade:

How to reproduce

Steps to reproduce the behavior:

1. Install Capsule with Helm
2. Create some tenants
3. Update Capsule via helm upgrade

capsule clastix/capsule \
   -n capsule-system \
   --set manager.options.forceTenantPrefix=true \
   --set manager.options.capsuleUserGroups[0]=$NEW_CAPSULE_GROUP

5. Login as tenant owner and create a namespace in the given tenant

$ kubectl create ns solar-wind
Error from server (InternalError): Internal error occurred: failed calling webhook "owner.namespace.capsule.clastix.io": Post "https://capsule-webhook-service.capsule-system.svc:443/namespace-owner-reference?timeout=30s": x509: certificate signed by unknown authority

Expected behavior

Tenant owner is able to operate after capsule helm upgrade

Logs

If applicable, please provide logs of capsule.

In a standard stand-alone installation of Capsule,
you'd get this by running kubectl -n capsule-system logs deploy/capsule-controller-manager.

Additional context

$ helm -n capsule-system list
NAME            NAMESPACE       REVISION        UPDATED                                 STATUS          CHART                   APP VERSION
capsule         capsule-system  9               2022-04-13 09:19:58.408853 +0200 CEST   deployed        capsule-0.1.8           0.1.1      
capsule-proxy   capsule-system  2               2022-04-13 09:38:53.049759 +0200 CEST   deployed        capsule-proxy-0.2.1     0.2.1