fix: custom hostname cert issuance

zachsmith1 · zachsmith1 · commit 8fcdca7b877a · 2026-03-09T18:38:55.000-07:00
diff --git a/internal/controller/gateway_controller.go b/internal/controller/gateway_controller.go
@@ -514,7 +514,19 @@ func (r *GatewayReconciler) ensureListenerCertificates(
 
 		isNew := cert.CreationTimestamp.IsZero()
 		if isNew {
+			// Use the downstream strategy for anchor-based ownership tracking
+			// (labels + anchor ConfigMap) so cleanup logic can find these Certs.
 			if err := downstreamStrategy.SetControllerReference(ctx, upstreamGateway, cert); err != nil {
+				result.Err = fmt.Errorf("failed to set strategy reference on Certificate %s: %w", certName, err)
+				return result
+			}
+			// Also set the downstream Gateway as the controller owner. The
+			// downstream certificate solver controller walks the ownership
+			// chain (Challenge → Order → Certificate → Gateway) to locate
+			// the Gateway when creating solver HTTPRoutes for HTTP-01
+			// challenges. Without this, the solver skips the Certificate
+			// because it cannot resolve the anchor ConfigMap to a Gateway.
+			if err := controllerutil.SetControllerReference(downstreamGateway, cert, downstreamClient.Scheme()); err != nil {
 				result.Err = fmt.Errorf("failed to set controller reference on Certificate %s: %w", certName, err)
 				return result
 			}
diff --git a/internal/controller/gateway_controller_test.go b/internal/controller/gateway_controller_test.go
@@ -280,6 +280,7 @@ func TestEnsureDownstreamGatewayWildcardCert(t *testing.T) {
 		existingUpstreamObjects   []client.Object
 		existingDownstreamObjects []client.Object
 		assert                    func(t *testing.T, upstreamGateway, downstreamGateway *gatewayv1.Gateway)
+		assertDownstream          func(t *testing.T, downstreamClient client.Client, downstreamGateway *gatewayv1.Gateway)
 	}{
 		{
 			name:                 "default https listener uses shared TLS secret",
@@ -378,6 +379,19 @@ func TestEnsureDownstreamGatewayWildcardCert(t *testing.T) {
 					"cert-manager annotation should not be set; Certificates are created directly",
 				)
 			},
+			assertDownstream: func(t *testing.T, downstreamClient client.Client, downstreamGateway *gatewayv1.Gateway) {
+				var cert cmv1.Certificate
+				certKey := client.ObjectKey{
+					Namespace: downstreamGateway.Namespace,
+					Name:      listenerCertificateName("test-gw", "https-hostname-0"),
+				}
+				if assert.NoError(t, downstreamClient.Get(context.Background(), certKey, &cert), "Certificate should exist") {
+					assert.True(t,
+						metav1.IsControlledBy(&cert, downstreamGateway),
+						"Certificate should have downstream Gateway as controller owner so the solver controller can find it",
+					)
+				}
+			},
 		},
 		{
 			name:                 "subdomain of target domain uses shared wildcard cert",
@@ -548,6 +562,10 @@ func TestEnsureDownstreamGatewayWildcardCert(t *testing.T) {
 				assert.NoError(t, fakeUpstreamClient.Get(ctx, client.ObjectKeyFromObject(tt.upstreamGateway), updatedUpstreamGateway))
 				tt.assert(t, updatedUpstreamGateway, downstreamGateway)
 			}
+
+			if tt.assertDownstream != nil {
+				tt.assertDownstream(t, fakeDownstreamClient, downstreamGateway)
+			}
 		})
 	}
 }
