When using cert-manager, and either the `istiod-tls` or the `cacerts` secrets, the istio operator patches the server cert into the istiod's webhook caBundle rather than the CA cert. This affects 3.0 migrations because the 3.0 istiod also patches the same webhooks but it patches the CA instead. The two controllers each attempt to patch a different bundle and an endless reconcile loop occurs.