I shall answer myself here, there is an undocumented setting config.caCert and it is used thusly:
helm upgrade --install some-name gitlab/gitlab-agent \
--namespace gitlab-agent \
--create-namespace \
--set image.tag=v15.5.1 \
--set config.token=gitlab-token \
--set config.kasAddress=wss://gitlab.domain.local/-/kubernetes-agent/ \
--set config.caCert="-----BEGIN CERTIFICATE-----
The cert goes here as a string
Note the enclosing quotes
-----END CERTIFICATE-----"
All options can be found here.