What would you like to be added:
Allow Mutating|ValidatingWebhookConfiguration to reference content of a secret as CABundle.

The following shows the idea. We can use better names than below.

type WebhookClientConfig struct {
	URL *string `json:"url,omitempty" protobuf:"bytes,3,opt,name=url"`
	Service *ServiceReference `json:"service,omitempty" protobuf:"bytes,1,opt,name=service"`
	CABundle []byte `json:"caBundle,omitempty" protobuf:"bytes,2,opt,name=caBundle"`

	// Optional field that reference a secret.
	CAFromSecret *CASecret
}

type CASecret struct {
	// the namespace of the secret
	Namespace string
	// the name of the secret
	Name string
	// the key in the secret. e.g. ca.key
	KeyName string
}

This can also be applied to CRD conversion webhook

Why is this needed:
It will be very useful if the CA is rotated.
Before: An admin or a controller (with permission to update WebhookConfiguration) need to update CABundle field if the CA has changed.
After: The Webhook configuration will automatically pickup the new CA.

EDIT:
From the security PoV, another advantage is that no need to update the CA means we don't need to grant permissions to some controller for Updating the CABundle field in Mutating|ValidatingWebhookConfig. Current k8s authn doesn't support field-wise fine-grain access control. IOW, a compromised controller can modify the service field of MutatingWebhookConfig to point a random service that may inject an arbitrary container to each pod.