Reported by @bmsiegel on slack. Initially reported on cert-manager/aws-privateca-issuer#229

Describe the bug:

When referring to external issuers whose kind is not "Issuer" or "ClusterIssuer" we log an error message thanks to a new check added in #5336 which should only trigger for SelfSigned issuers.

For reference the AWS PCA issuer uses the AWSPCA(Cluster)Issuer kind and the awspca.cert-manager.io/... group.

The user saw the following error message (line breaks added manually for visual clarity):

E1121 15:03:27.073943       1 checks.go:55]
cert-manager/controller/certificaterequests-issuer-selfsigned/handleSecretReference
"msg"="failed to determine affected certificate requests"
"error"="invalid value \"AWSPCAClusterIssuer\" for issuerRef.kind. Must be empty, \"Issuer\" or \"ClusterIssuer\""
"resource_kind"="Secret"
"resource_name"="external-secrets-webhook"
"resource_namespace"="my-platform"
"resource_version"="v1"

This error is produced from this line, after this check fails.

The error ultimately arises in GetGenericIssuer.

Expected behaviour:

Log messages relating to this new check functionality should only be printed when a self-signed issuer is confirmed.

A fix for this issue should be backported as this error is likely to cause confusion.

Environment details::

• cert-manager version: v1.10+, currently

/kind bug