...
Regarding what happens outside of DCM (points #2, #3 and #4 above), and since the K8s signer issues a certificate some time after approval of a CSR takes place (making the whole process very much asynchronous.. in fact, this could also be done manually by humans), the Monitor has been chosen as the tool to track what happens to the CSR and trigger other actions.
Again, the The reader is referred to the Sequence Diagram above to better understand how the Monitor, together with cluster etcd and rsync (cluster watcher) work together to detect that a CSR has been approved and has issued a certificate in its own .status.certificate subresource field. This certificate is then propagated back to the main etcd instance, where DCM can read from using the lazy-load method presented above.
...