When the control plane is configured to use a custom key for signing, the webhooks' CABundle is not updated and the installation/update fails, as the create/update calls for istio resources fail with validation errors.

Steps to reproduce:

1. Create cacerts secret in the target namespace using the example certs in istio.io/istio/samples/certs, e.g.: oc create secret generic cacerts --from-file path/to/istio/samples/certs
2. Install control plane with following security settings:

spec:
  security:
    certificateAuthority:
      type: Istiod
      istiod:
        type: PrivateKey