[Feature Request]: Add feature to call kubernetes secrets for the AWSPCAClusterIssuer spec.arn value

[nicholasmturner]

Describe why this change is needed

In my deployment I have an AWS PCA per environment and thus it is not possible to hardcode the AWSPCAClusterIssuer spec.arn value in our codebase. Instead I deploy kubernetes secrets referencing the ARN of the PCA for each environment. But as the custom resource does not support calling a secret to get the ARN value I am forced to deploy the custom resource with a dummy value and use a batch job to patch the spec.arn value to the value of the secret. This is not an ideal scenario and is prone to failure. Please can you update the AWSPCAClusterIssuer CRD to allow the custom resource to call kubernetes secrets for the AWSPCAClusterIssuer spec.arn value. As this is not a container resource I am unable to use the usual methods for calling secrets such as environment variables/volumes.

Describe solutions and alternatives considered (optional)

spec:
region: eu-west-1
arn:
valueFrom:
secretKeyRef:
name: my-secret
key: secret_key

Is there anything else you would like to add?

No response

[meghanayendamuri]

Hi @nicholasmturner,Thank you for submitting this feature request. We will review the request and get back to you.

[divyansh-gupta]

Hi @nicholasmturner - thanks for submitting the feature request. Would it be possible to use kubebuilder or other methods to dynamically build the CRD for the Issuer? In my opinion it seems odd to use a Secret to store ARNs, since PCA ARNs are not generally considered secrets.

[lindsaygrace]

Hi @nicholasmturner - thanks for submitting the feature request. Would it be possible to use kubebuilder or other methods to dynamically build the CRD for the Issuer? In my opinion it seems odd to use a Secret to store ARNs, since PCA ARNs are not generally considered secrets.

If this was instead a configmap it would make more sense