Do not rewrite cert-id on service if existing certificate is valid

Author: nicktate

cloud-controller-manager/do/certificates_test.go

@@ -134,8 +134,8 @@ func Test_LBaaSCertificateScenarios(t *testing.T) {
 				certService.store[cert.ID] = cert
 				return service
 			},
-			expectedServiceCertID: "lb-cert-id",
-			expectedLBCertID:      "lb-cert-id",
+			expectedServiceCertID: "service-cert-id",
+			expectedLBCertID:      "service-cert-id",
 		},
 		{
 			name: "[letsencrypt] LB cert ID exists and service cert ID does not",

cloud-controller-manager/do/loadbalancers.go

@@ -326,6 +326,19 @@ func getCertificateIDFromLB(lb *godo.LoadBalancer) string {
 // Load Balancer.
 func (l *loadBalancers) recordUpdatedLetsEncryptCert(ctx context.Context, service *v1.Service, lbCertID, serviceCertID string) error {
 	if lbCertID != "" && lbCertID != serviceCertID {
+		svcCert, _, err := l.resources.gclient.Certificates.Get(ctx, serviceCertID)
+		if err != nil {
+			respErr, ok := err.(*godo.ErrorResponse)
+			if !ok || respErr.Response.StatusCode != http.StatusNotFound {
+				return fmt.Errorf("failed to get DO certificate for service: %s", err)
+			}
+		}
+
+		// The given certificate on the service exists, pass through so the LB is updated
+		if svcCert != nil {
+			return nil
+		}
+
 		lbCert, _, err := l.resources.gclient.Certificates.Get(ctx, lbCertID)
 		if err != nil {
 			respErr, ok := err.(*godo.ErrorResponse)