Skip to content

Commit e2abe52

Browse files
zachsmith1zachsmith1
authored
Merge pull request #123 from datum-cloud/fix/certissuance
fix: move ownerRef for existing cert fixes
2 parents f29a2de + 1130d2b commit e2abe52

File tree

1 file changed

+10
-9
lines changed

1 file changed

+10
-9
lines changed

internal/controller/gateway_controller.go

Lines changed: 10 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -514,18 +514,19 @@ func (r *GatewayReconciler) ensureListenerCertificates(
514514

515515
isNew := cert.CreationTimestamp.IsZero()
516516
if isNew {
517-
// Use the downstream strategy for anchor-based ownership tracking
518-
// (labels + anchor ConfigMap) so cleanup logic can find these Certs.
519517
if err := downstreamStrategy.SetControllerReference(ctx, upstreamGateway, cert); err != nil {
520518
result.Err = fmt.Errorf("failed to set strategy reference on Certificate %s: %w", certName, err)
521519
return result
522520
}
523-
// Also set the downstream Gateway as the controller owner. The
524-
// downstream certificate solver controller walks the ownership
525-
// chain (Challenge → Order → Certificate → Gateway) to locate
526-
// the Gateway when creating solver HTTPRoutes for HTTP-01
527-
// challenges. Without this, the solver skips the Certificate
528-
// because it cannot resolve the anchor ConfigMap to a Gateway.
521+
}
522+
523+
// Ensure the downstream Gateway is the controller owner. The
524+
// downstream certificate solver controller walks the ownership
525+
// chain (Challenge → Order → Certificate → Gateway) to locate
526+
// the Gateway when creating solver HTTPRoutes for HTTP-01
527+
// challenges.
528+
ownerRefChanged := !metav1.IsControlledBy(cert, downstreamGateway)
529+
if ownerRefChanged {
529530
if err := controllerutil.SetControllerReference(downstreamGateway, cert, downstreamClient.Scheme()); err != nil {
530531
result.Err = fmt.Errorf("failed to set controller reference on Certificate %s: %w", certName, err)
531532
return result
@@ -552,7 +553,7 @@ func (r *GatewayReconciler) ensureListenerCertificates(
552553
cert.Spec = desiredSpec
553554
err = downstreamClient.Create(ctx, cert)
554555
opResult = "created"
555-
} else if !equality.Semantic.DeepEqual(cert.Spec, desiredSpec) {
556+
} else if !equality.Semantic.DeepEqual(cert.Spec, desiredSpec) || ownerRefChanged {
556557
cert.Spec = desiredSpec
557558
err = downstreamClient.Update(ctx, cert)
558559
opResult = "updated"

0 commit comments

Comments
 (0)