Feature: How to orchestrate values from other resources for things such as a FlexibleServersFirewallRule or FederatedIdentity

[buzzaII]

It would be great to give a end to end example of an orchestration with no manual steps required to deploy a infrastructure where some pieces are not know until 'manifest deployment' time - this is pretty close but still requires the manual input of the issuer OIDC url.

Some examples are if we need to add a firewall rule for an aks cluster to access a postgres sql, or provide the OIDC url for a managed identity ?

apiVersion: dbforpostgresql.azure.com/v1api20220120preview
kind: FlexibleServersFirewallRule
metadata:
  name: samplefirewallrule
  namespace: default
spec:
  owner:
    name: samplepostgresql
  startIpAddress: 1.2.3.4 <-- need to add the AKS clusters ip here 
  endIpAddress: 1.2.3.4

# from sample here: https://github.com/Azure-Samples/azure-service-operator-samples/blob/master/cosmos-todo-list-mi/cosmos-sql-demo.yaml
apiVersion: managedidentity.azure.com/v1beta20220131preview
kind: FederatedIdentityCredential
metadata:
  name: pod-identity
spec:
  audiences:
  # For Workload Identity, Audiences should always be "api://AzureADTokenExchange"
    - api://AzureADTokenExchange
  # For Workload Identity, Issuer should be the OIDC endpoint of the cluster. For AKS this will look like
  # https://oidc.prod-aks.azure.com/00000000-0000-0000-0000-00000000000/


  issuer: ${AKS_OIDC_ISSUER} <-  how would this be supplied ?


  # For Workload Identity, Subject should always be system:serviceaccount:<namespace>:<serviceaccount>
  subject: system:serviceaccount:cosmos-todo:cosmos-service-account