kedacore · wozniakjan · Mar 18, 2026 · Mar 18, 2026 · Mar 18, 2026
@@ -76,6 +76,7 @@ their default values.
 | `certificates.certManager.secretTemplate` | object | `{}` | Add labels/annotations to secrets created by Certificate resources [docs](https://cert-manager.io/docs/usage/certificate/#creating-certificate-resources) |
 | `certificates.mountPath` | string | `"/certs"` | Path where KEDA TLS certificates are mounted |
 | `certificates.secretName` | string | `"kedaorg-certs"` | Secret name to be mounted with KEDA TLS certificates |
+| `certificates.operator.apiServicePatching.enabled` | bool | `nil` | When explicitly set, controls whether the operator injects the self-generated TLS CA into the APIService for the KEDA Metrics API Server via the `--enable-apiservice-patching` flag. When unset (default), the flag is not passed and the operator uses its built-in default. Only effective when `certificates.autoGenerated=true` and `certificates.certManager.enabled=false`. If set to `false` while `metricsServer.enabled=true`, you must provide an alternative CA injection mechanism or the metrics API will fail TLS verification. |
 | `clusterDomain` | string | `"cluster.local"` | Kubernetes cluster domain |
 | `clusterName` | string | `"kubernetes-default"` | Kubernetes cluster name. Used in features such as emitting CloudEvents |
 | `crds.additionalAnnotations` | object | `{}` | Custom annotations specifically for CRDs |

@@ -84,6 +84,9 @@ spec:
           - "--zap-encoder={{ .Values.logging.operator.format }}"
           - "--zap-time-encoding={{ .Values.logging.operator.timeEncoding }}"
           - "--enable-webhook-patching={{ .Values.webhooks.enabled }}"
+          {{- if and .Values.certificates.autoGenerated ( not .Values.certificates.certManager.enabled ) .Values.certificates.operator .Values.certificates.operator.apiServicePatching }}
+          - "--enable-apiservice-patching={{ .Values.certificates.operator.apiServicePatching.enabled }}"
+          {{- end }}
           {{- if .Values.logging.operator.stackTracesEnabled }}
           - "--zap-stacktrace-level=error"
           {{- end }}

@@ -885,6 +885,11 @@ certificates:
       # -- Custom Issuer group. Required when generate: false
       group: cert-manager.io
   operator:
+    # -- Enable APIService patching by KEDA operator. Controls whether KEDA operator will inject the self-generated TLS certificate into the APIService used by KEDA Metrics API Server.
+    # Only takes effect when certificates.autoGenerated is true and certificates.certManager.enabled is false.
+    # WARNING: If metricsServer.enabled is true and you disable this, you must ensure the APIService CA bundle is injected by an alternative mechanism (e.g. external controller, manual patching), otherwise the metrics API will fail TLS verification.
+    # apiServicePatching:
+    #   enabled: false
     # -- Location(s) of CA files for authentication of external TLS connections such as TLS-enabled metrics sources
     # caDirs:
     # - /custom/ca