CoreOS: validatingWebhookConfiguration: failed to load system roots and no roots provided; open /etc/ssl/certs/ca-certificates.crt: permission denied

Description

I try to create a CustomResource, for which there's a validating_webhook_configuration. When I kubectl apply I get

Internal error occurred: failed calling webhook "vpooler.cnpg.io": failed to call webhook: 
Post "https://cnpg-webhook-service.cnpg-system.svc:443/validate-postgresql-cnpg-io-v1-pooler?timeout=10s": 
tls: failed to verify certificate: x509: failed to load system roots and no roots provided; open 
/etc/ssl/certs/ca-certificates.crt: permission denied

Steps to Reproduce

CoreOS, Typhoon 1.31. I am trying to deploy a CNPG cluster. The installation of the CRDs and Operator works fine, but when I try to create the following resource:

resource "kubernetes_manifest" "cluster" {
  depends_on = [module.yavin]
  manifest = {
    apiVersion = "postgresql.cnpg.io/v1"
    kind       = "Cluster"
    metadata = {
      name      = "cluster-example"
      namespace = "default"
    }
    spec = {
      instances = 3
      storage = {
        size = "1Gi"
      }
    }
  }
}

I get this

Expected behavior

I should be able to create that resource.

Environment

Platform: google-cloud
OS: fedora-coreos
Release: Typhoon v1.31
Terraform: 1.5.7
Plugins:
+ provider registry.terraform.io/hashicorp/google v6.2.0 + provider registry.terraform.io/hashicorp/kubernetes v2.32.0

Possible Solution It seems the cert volumes (/etc/ssl/certs seems to be a symlink to /etc/pki) are mounted in the kube-api-server:

    Mounts:
      /etc/kubernetes/pki from secrets (ro)
      /etc/pki from etc-pki (ro)
      /etc/ssl/certs from etc-ssl (ro)

so it should work, but I am not sure it actually works.

poseidon / typhoon

CoreOS: validatingWebhookConfiguration: failed to load system roots and no roots provided; open /etc/ssl/certs/ca-certificates.crt: permission denied #1518