Recently, upstream started supporting versioned config maps that auto updates operand configuration of cert-manager controller, webhook, cainjector. This would imply that users could bypass the our operator's certmanager CR which we use to allow users to update operand config and thus could cause potential risks of misconfiguration from multiple sources. Ideal solution would be to block this update path, but if there are other measures which can offer better control that can also be explored but should only be in favour of our validated supported paths.

This was discussed during 1.13 rebase, as upstream 1.13.0 introduced this new functionality. https://github.com/openshift/cert-manager-operator/pull/143#discussion_r1363868623