diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2
index 9696d51567ae1cd9f5cece2bd1e1c01a72caee8c..69635b351c9cb0a284eabf6d3a100c51c334ec9d 100644
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2
@@ -964,6 +964,17 @@ spec:
             valueFrom:
               fieldRef:
                 fieldPath: metadata.namespace
+{% if cert_manager_trusted_internal_ca is defined %}
+          volumeMounts:
+          - mountPath: /etc/ssl/certs/internal-ca.pem
+            name: ca-internal-truststore
+            subPath: internal-ca.pem
+      volumes:
+      - configMap:
+          defaultMode: 420
+          name: ca-internal-truststore
+        name: ca-internal-truststore
+{% endif %}
 {% if cert_manager_tolerations %}
       tolerations:
         {{ cert_manager_tolerations | to_nice_yaml(indent=2) | indent(width=8) }}
@@ -983,17 +994,6 @@ spec:
       dnsConfig:
         {{ cert_manager_dns_config | to_nice_yaml | indent(width=8) }}
 {% endif %}
-{% if cert_manager_trusted_internal_ca is defined %}
-          volumeMounts:
-          - mountPath: /etc/ssl/certs/internal-ca.pem
-            name: ca-internal-truststore
-            subPath: internal-ca.pem
-      volumes:
-      - configMap:
-          defaultMode: 420
-          name: ca-internal-truststore
-        name: ca-internal-truststore
-{% endif %}
 ---
 # Source: cert-manager/deploy/charts/cert-manager/templates/webhook-deployment.yaml
 apiVersion: apps/v1