update doc + get tlspair

documentation/installation.md

@@ -38,8 +38,9 @@ The [Kyverno CLI](documentation/testing-policies-cli.md) allows you to write and
 
 # Pre-Requisites
 ## Configure controller manager certificate signer
-When the cluster ca & key is not passed as arguments(mostly for in-cluster mode), the TLS communicate between admission webhook and api-server a certificate signer configured to issue certificate to a certificate signing request(CSR) generated by Kyverno.
-The Kubernetes controller manager provides a default implementation of a signer. To verify if it is enabled, check if the command args --cluster-signing-cert-file and --cluster-signing-key-file are passed to the controller manager with paths to your Certificate Authority’s keypair. 
+When the cluster ca & key is not passed as arguments(mostly for in-cluster mode), the TLS communication between admission webhook and api-server requires a certificate signer configured. The certificate signer issues a certificate to a certificate signing request(CSR) generated by Kyverno, while generating TLS cert & key pair for webhook server.
+
+The Kubernetes controller manager provides a default implementation of a signer. To verify if it is enabled, check if the command args `--cluster-signing-cert-file` and `--cluster-signing-key-file` are passed to the controller manager with paths to your Certificate Authority’s keypair by checking pod YAML for api-server.
 
 ## Use self-signed certificates to test kyverno.
 To create root CA and generate certificate & key pair using it via openssl:

init.go

@@ -27,6 +27,9 @@ func initTlsPemPair(certFile, keyFile string, clientConfig *rest.Config, client
 	if certFile != "" || keyFile != "" {
 		tlsPair = tlsPairFromFiles(certFile, keyFile)
 	}
+	// if cert & key defined in secret(tls.kyverno) use it,
+	// the CA used to sign the cert is expected in secret (tls-ca)
+	tlsPair = client.TlsPairFromSecrets()
 
 	var err error
 	if tlsPair != nil {