has anyone tried to use the upstream kubeadm control plane provider with self-signed certs? I keep seeing this error in capi-kubeadm-control-plane-controller-manager.

E1027 20:24:29.009588       1 controller.go:317] controller/kubeadmcontrolplane "msg"="Reconciler error" "error"="failed to create remote cluster client: error creating client and cache for remote cluster: error creating dynamic rest mapper for remote cluster \"default/my-cluster\": Get \"<https://10.84.81.6:6443/api?timeout=10s>\": x509: certificate signed by unknown authority" "name"="my-cluster" "namespace"="default" "reconciler group"="<http://controlplane.cluster.x-k8s.io|controlplane.cluster.x-k8s.io>" "reconciler kind"="KubeadmControlPlane"

The self-signed root is mounted via the standard

kube-root-ca.crt

configmap.

Volumes:                                                                                                                             │
│   cert:                                                                                                                              │
│     Type:        Secret (a volume populated by a Secret)                                                                             │
│     SecretName:  capi-kubeadm-control-plane-webhook-service-cert                                                                     │
│     Optional:    false                                                                                                               │
│   kube-api-access-zn7qg:                                                                                                             │
│     Type:                    Projected (a volume that contains injected data from multiple sources)                                  │
│     TokenExpirationSeconds:  3607                                                                                                    │
│     ConfigMapName:           kube-root-ca.crt                                                                                        │
│     ConfigMapOptional:       <nil>                                                                                                   │
│     DownwardAPI:             true                                                                                                    │
│ QoS Class:                   BestEffort                                                                                              │
│ Node-Selectors:              <none>                                                                                                  │
│ Tolerations:                 <http://node-role.kubernetes.io/control-plane:NoSchedule|node-role.kubernetes.io/control-plane:NoSchedule>                                                        │
│                              <http://node-role.kubernetes.io/master:NoSchedule|node-role.kubernetes.io/master:NoSchedule>                                                               │
│                              <http://node.kubernetes.io/not-ready:NoExecute|node.kubernetes.io/not-ready:NoExecute> op=Exists for 300s                                               │
│                              <http://node.kubernetes.io/unreachable:NoExecute|node.kubernetes.io/unreachable:NoExecute> op=Exists for 300s

But kube-api-access doesn't seem to make use of it.