Allow defining keystore password as litteral instead of SecretRef

[rquinio1A]

Is your feature request related to a problem? Please describe.

Keystore generation is a great feature of cert-manager, but it could be simplified a little. Today we have:

apiVersion: cert-manager.io/v1
kind: Certificate
spec:
  secretName: certificate
  keystores:
    pkcs12:
      create: true
      passwordSecretRef:
        name: keystore-password
        key: password

The fact of encrypting keystores with a password in Java keytool predates the Kubernetes era.
The Java ecosystem is slowly moving towards generating keystores programmatically at runtime from PEM files.
Meanwhile, since the generated keystore is stored in a Kubernetes secret, the fact of encrypting it has become irrelevant (if you can access secrets, then you can also access the secret containing the encryption password ...)
Even worse, since Kubernetes Secret resources shouldn't be stored in Gitops repositories (and tools like ArgoCD may be configured to never synchronize such resources), this forces to synchronize from a vault, making things very complex for something than doesn't actually need it.

Describe the solution you'd like

We should be able to hardcode the keystore password in the PKCS12Keystore, for instance:

apiVersion: cert-manager.io/v1
kind: Certificate
spec:
  secretName: certificate
  keystores:
    pkcs12:
      create: true
      password: "changeit"

/kind feature

[jetstack-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

[rquinio1A]

/remove-lifecycle stale

I would be intersted in feedback from the maintainers and/or community

[jetstack-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

[rquinio1A]

/remove-lifecycle stale

@munnerz maybe you could review this feature request, since you did the initial implementation of keystore password in #2824 ?

[jetstack-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

[rquinio1A]

/remove-lifecycle stale

I see there's another proposal for hardcoded password (#6269), and I'd be fine with that too, the password value is irrelevant.

[jetstack-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

[jetstack-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle rotten
/remove-lifecycle stale

[jetstack-bot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Send feedback to jetstack.
/close

[jetstack-bot]

@jetstack-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Send feedback to jetstack.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.