zoekt-indexer failed to verify webservice certificate

gitlab-zoekt installed as subchart of full GitLab stack Helm chart.
gitlab/gitlab chart version: 9.2.4
gitlab-zoekt chart version: 2.7.0

The zoekt-indexer container keeps logging:

{
  "time": "2025-08-29T02:25:48.269218756Z",
  "level": "ERROR",
  "msg": "error while sending task request",
  "err": "Post \"https://gitlab-webservice-default.gitlab.svc.cluster.local:8181/api/v4/internal/search/zoekt/0468e788-c667-4da5-bdb3-029ca36adb7a/heartbeat\": tls: failed to verify certificate: x509: certificate signed by unknown authority"
}

Unlike other deployments that make use of private CA certs referenced by the likes of global.certificates.customCAs.secret or gitlab.webservice.workhorse.tls.caSecretName that updates each container's system trust store, none of the Zoekt containers perform this init task.

There's also no "escape hatch" in the Zoekt Helm template that would allow the user to inject extraInitContainers, extraVolumes, and extraVolumeMounts to the StatefulSet and Deployment resources so that one could work around the issue by manually updating the system trust store.