External provider notices that CertificateRequest CRD was created and that it has an with a reference to New Issuer CRD was created and processes CSR stored there and in result puts signed certificate and trusted certs. Simple as that.
When component uses CertService client as init container the way forward is simple. Add Certificate CRD and mount secret to K8s workload.
CertService API enhancements