#79 adds a basic CA issuer that reads a signing keypair from a Secret in the Kubernetes API server in order to issue certificates. For convenience, it may be desirable to support an 'automatically generate a signing keypair' mode.