Allow specifying secret as pilot server cert when using CertificateAuthority: Custom

Currently, we've exposed a Custom method which allows one to provide an external CA, at Jetstack we're making using of the istio-csr api to handle workload identity.

In order for istio-csr to work we need to set the Ca Address, which we do like so:

security:
   certificateAuthority:
   custom:
     address: cert-manager-istio-csr.openshift-operators.svc:443
   type: Custom

This almost solves the problem, however the pilot server needs to have it's tls context to a cert generated by external CA (through --tlsCert and --TlsKey flags etc..) Currently we configure this by writing out a secret, which should be mounted and passed to the command args. This works correctly in the vanilla istio-operator on other platforms as well as Openshift.

I have search through Maistra repo thoroughly (including the 2.1 branch) there is no way for us to inject this parameter through the operator it seems, such an override would be outside the parameters that are meant to be configured at present.

Is there any mechanism we missed that allows us to achieve this goal at present?
if not would it be possible to expose the setting of the tls context for pilot? we imagine that all CAs using istio-csr as a mechanism will have the exact same problem bootstrapping their Cas,  so this would be generally useful.

One hint for a possibly elegant way of doing it is to have the controlPlane.Certprovider allow a "secret" method , which lets one secret secret name or something like that

Apologies if this is not the best place to submit this feature request, thanks in advance!