Nothing to do with your cluster definition, it’s the admission controller (DAC).
What’s wrong is that the DAC is provisioned with one certificate/key and the web hook configurations have a completely different CA certificate installed, thus the certificate won’t validate, and it will not work. As to how you’ve got into this situation, well the TLS is randomly generated (rotated) per run of the tool (no point having predictable keys!) Somehow some parts are installed from one run, and some parts are installed from another, hence the discrepancy.
You have to completely uninstall the DAC with:
cbopcfg delete admission
If this is part of an upgrade, then you have to uninstall with the toolchain you used to install it, not the upgraded version.
Then recreate it with:
cbopcfg create admission
Or whatever the analogous method is for your version of the Operator.