Moving to 1.22 makes OPA not work with helm self signed

[subravi92]

Hi, we are doing some pre-work to move all our clusters from 1.21 to 1.22.. one of the dependency was admissionregistration.k8s.io ..along with that, we are moving away from kube-webhook-certgen logic to helm self signed template... i could see opa up and running along with validatingwebhook and helm self signed certs without any issues..
Main problem is opa policies are not getting applied.. i see the policy is getting invoked in pod log along with allowed=false but still am able to perform the action, I have changed admissionregistration.k8s.io/v1beta1 to admissionregistration.k8s.io/v1 along with that admission to v1 , admissionreviewversions to v1.. Any pointers would be helpful ?

kind: ConfigMap
apiVersion: v1
metadata:
  name: opa-default-system-main
  namespace: opa
data:
  main: |
    package system

    import data.kubernetes.admission

    main = {
      "apiVersion": "admission.k8s.io/v1",
      "kind": "AdmissionReview",
      "response": response,
    }

    default response = {"allowed": true}

    response = {
        "allowed": false,
        "status": {
            "reason": reason,
        },
    } {
        reason = concat(", ", admission.deny)
        reason != ""
    }
    else = {
        "allowed": true,
        "status": {
            "reason": reason,
        },
    } {
        reason = concat(", ", admission.dryrun)
        reason != ""
    }

apiVersion: admissionregistration.k8s.io/v1
metadata:
  name: opa-validating-webhook
  annotations:
    "helm.sh/hook": pre-install,pre-upgrade
    "helm.sh/hook-delete-policy": before-hook-creation,hook-failed
webhooks:
  - name: validating-webhook.openpolicyagent.org
    failurePolicy: Ignore
    namespaceSelector:
      matchExpressions:
        - key: openpolicyagent.org/webhook
          operator: NotIn
          values:
            - ignore
    rules:
      - operations: ["CREATE", "UPDATE", "DELETE", "CONNECT"]
        apiGroups: ["*"]
        apiVersions: ["*"]
        resources:
          - pods
          - pods/portforward
          - deployments
          - services
          - ingresses
          - customresourcedefinitions
          - replicasets
          - daemonsets
          - jobs
          - cronjobs
          - namespaces
          - rolebindings
          - horizontalpodautoscalers
          - chaosblades
    clientConfig:
      caBundle: {{ $ca.Cert | b64enc | quote }}
      service:
        namespace: opa
        name: opa
    timeoutSeconds: 10
    sideEffects: None
    admissionReviewVersions: [v1]
---
apiVersion: v1
kind: Secret

metadata:
  name: opa-webhook-server-cert
  namespace: {{ .Release.Namespace }}
  annotations:
    "helm.sh/hook": pre-install,pre-upgrade
    "helm.sh/hook-delete-policy": before-hook-creation,hook-failed
  labels:
    app: opa
    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
    heritage: {{ .Release.Service }}
    release: {{ .Release.Name }}

data:
  tls.crt : {{ $cert.Cert | b64enc | quote }}
  tls.key : {{ $cert.Key | b64enc | quote }}
  ca.crt: {{ $ca.Cert | b64enc | quote }}