Allow templating of labels/annotations on target configmaps/secrets

[qcattez]

When creating ValidatingWebhookConfiguration or MutatingWebhookConfiguration, we can specify the CA bundle to use in the ClientConfig : https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#webhookclientconfig-v1-admissionregistration-k8s-io

However, those ressources doesn't allow to specify the CA bundle from a Secret or Configmap (only inline).
cert-manager tackles this problem by injecting the CA bundle on resources annotated with cert-manager.io/inject-ca-from: <namespace>/<certificate>.

So in order to provide the same functionality as cert-manager, it would be nice to introduce a trust-manager-ca-injector that would be responsible to inject the CA bundle on resources annotated with trust.cert-manager.io/inject-ca-from: <namespace>/<bundle>.

[qcattez]

When looking into the cert-manager-ca-injector documentation, I found this :
https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-secret-resource

Thus allowing us to inject the CA bundle from a secret that would have been created by trust-manager.

Sorry for the inconvenience 🙏

[qcattez]

In the end, the use of the annotation cert-manager.io/inject-ca-from-secret allows us to specify a secret to define the CA for admissions webhooks.

But the only thing missing for this feature to be achievable is to be able to add custom annotations on the secret created by the Bundle. For now, only the key can be specified : https://cert-manager.io/docs/trust/trust-manager/api-reference/#bundlespectargetsecret

It would be nice to be able to add the cert-manager.io/allow-direct-injection: "true" annotation on the created secret.

[erikgb]

It could make sense to add a feature similar to cert-manager secretTemplate. That should make the feature address more use cases, and not just this one specifically. It should also cover target configmaps if implemented.

[cert-manager-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
/lifecycle stale

[erikgb]

/remove-lifecycle stale
/help

[cert-manager-prow]

@erikgb:
This request has been marked as needing help from a contributor.

Please ensure the request meets the requirements listed here.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help command.

In response to this:

/remove-lifecycle stale
/help

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.