percona · pooknull · Aug 11, 2025 · Aug 11, 2025 · Aug 12, 2025
@@ -36,11 +36,11 @@ spec:
 status:
   conditions:
     - message: Certificate is up to date and has not expired
-      observedGeneration: 1
+      observedGeneration: 2
       reason: Ready
       status: 'True'
       type: Ready
-  revision: 1
+  revision: 2
 ---
 apiVersion: apps/v1
 kind: StatefulSet

@@ -17,5 +17,6 @@ commands:
         "*.gr-tls-cert-manager-orchestrator.'"${NAMESPACE}"'.svc",
         "*.gr-tls-cert-manager-router",
         "*.gr-tls-cert-manager-router.'"${NAMESPACE}"'",
-        "*.gr-tls-cert-manager-router.'"${NAMESPACE}"'.svc"
+        "*.gr-tls-cert-manager-router.'"${NAMESPACE}"'.svc",
+        "mysql-1.example.com"
       ]'
@@ -36,19 +36,19 @@ spec:
 status:
   conditions:
     - message: Certificate is up to date and has not expired
-      observedGeneration: 1
+      observedGeneration: 2
       reason: Ready
       status: 'True'
       type: Ready
-  revision: 2
+  revision: 3
 ---
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
-  generation: 2
+  generation: 3
   name: gr-tls-cert-manager-mysql
 status:
-  observedGeneration: 2
+  observedGeneration: 3
   replicas: 3
   readyReplicas: 3
 ---
@@ -64,7 +64,7 @@ metadata:
     app.kubernetes.io/part-of: percona-server
     app.kubernetes.io/version: v0.11.0
 status:
-  observedGeneration: 2
+  observedGeneration: 3
   replicas: 3
   updatedReplicas: 3
   readyReplicas: 3

@@ -36,11 +36,11 @@ spec:
 status:
   conditions:
     - message: Certificate is up to date and has not expired
-      observedGeneration: 1
+      observedGeneration: 2
       reason: Ready
       status: 'True'
       type: Ready
-  revision: 1
+  revision: 2
 ---
 apiVersion: apps/v1
 kind: StatefulSet

@@ -17,5 +17,6 @@ commands:
         "*.tls-cert-manager-orchestrator.'"${NAMESPACE}"'.svc",
         "*.tls-cert-manager-router",
         "*.tls-cert-manager-router.'"${NAMESPACE}"'",
-        "*.tls-cert-manager-router.'"${NAMESPACE}"'.svc"
+        "*.tls-cert-manager-router.'"${NAMESPACE}"'.svc",
+        "mysql-1.example.com"
       ]'
@@ -36,29 +36,29 @@ spec:
 status:
   conditions:
     - message: Certificate is up to date and has not expired
-      observedGeneration: 1
+      observedGeneration: 2
       reason: Ready
       status: 'True'
       type: Ready
-  revision: 2
+  revision: 3
 ---
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
-  generation: 2
+  generation: 3
   name: tls-cert-manager-mysql
 status:
-  observedGeneration: 2
+  observedGeneration: 3
   replicas: 3
   readyReplicas: 3
 ---
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
-  generation: 2
+  generation: 3
   name: tls-cert-manager-orc
 status:
-  observedGeneration: 2
+  observedGeneration: 3
   replicas: 3
   readyReplicas: 3
 ---

@@ -14,7 +14,7 @@ commands:
 
       renew_certificate "tls-cert-manager-ssl"
 
-      sleep 10
+      sleep 20
 
       new_generation_mysql=$(kubectl -n ${NAMESPACE} get sts tls-cert-manager-mysql -o jsonpath='{.metadata.generation}')
       new_generation_haproxy=$(kubectl -n ${NAMESPACE} get sts tls-cert-manager-haproxy -o jsonpath='{.metadata.generation}')

@@ -26,18 +26,19 @@ import (
 func (r *PerconaServerMySQLReconciler) ensureTLSSecret(ctx context.Context, cr *apiv1alpha1.PerconaServerMySQL) error {
 	log := logf.FromContext(ctx)
 
-	secretObj := corev1.Secret{}
-	err := r.Client.Get(context.TODO(),
+	secret := corev1.Secret{}
+	err := r.Get(ctx,
 		types.NamespacedName{
 			Namespace: cr.Namespace,
 			Name:      cr.Spec.SSLSecretName,
 		},
-		&secretObj,
+		&secret,
 	)
-
-	// don't create ssl secret if it is created by customer not by operator
-	if err == nil && !metav1.IsControlledBy(&secretObj, cr) {
-		return nil
+	if err == nil {
+		// don't create ssl secret if it is created by customer not by operator
+		if c, err := tls.IsSecretCreatedByUser(ctx, r.Client, cr, &secret); err != nil || c {
+			return err
+		}
 	}
 
 	err = r.ensureSSLByCertManager(ctx, cr)
@@ -223,7 +224,7 @@ func (r *PerconaServerMySQLReconciler) ensureIssuer(ctx context.Context, cr *api
 			IssuerConfig: IssuerConf,
 		},
 	}
-	err := k8s.EnsureObjectWithHash(ctx, r.Client, nil, isr, r.Scheme)
+	err := k8s.EnsureObjectWithHash(ctx, r.Client, cr, isr, r.Scheme)
 	if err != nil {
 		return errors.Wrap(err, "create issuer")
 	}

@@ -2,6 +2,7 @@ package tls
 
 import (
 	"bytes"
+	"context"
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/x509"
@@ -12,7 +13,13 @@ import (
 	"sort"
 	"time"
 
+	cm "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
 	"github.com/pkg/errors"
+	corev1 "k8s.io/api/core/v1"
+	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	apiv1alpha1 "github.com/percona/percona-server-mysql-operator/api/v1alpha1"
 )
@@ -155,3 +162,38 @@ func DNSNamesFromCert(data []byte) ([]string, error) {
 	sort.Strings(names)
 	return names, nil
 }
+
+func IsSecretCreatedByUser(ctx context.Context, c client.Client, cr *apiv1alpha1.PerconaServerMySQL, secret *corev1.Secret) (bool, error) {
+	if metav1.IsControlledBy(secret, cr) {
+		return false, nil
+	}
+	if secret.Labels[cm.PartOfCertManagerControllerLabelKey] == "true" {
+		return isCertManagerSecretCreatedByUser(ctx, c, cr, secret)
+	}
+	return true, nil
+}
+
+func isCertManagerSecretCreatedByUser(ctx context.Context, c client.Client, cr *apiv1alpha1.PerconaServerMySQL, secret *corev1.Secret) (bool, error) {
+	if metav1.IsControlledBy(secret, cr) {
+		return false, nil
+	}
+
+	issuerName := secret.Annotations[cm.IssuerNameAnnotationKey]
+	if secret.Annotations[cm.IssuerKindAnnotationKey] != cm.IssuerKind || issuerName == "" {
+		return true, nil
+	}
+	issuer := new(cm.Issuer)
+	if err := c.Get(ctx, types.NamespacedName{
+		Name:      issuerName,
+		Namespace: secret.Namespace,
+	}, issuer); err != nil {
+		if k8serrors.IsNotFound(err) {
+			return true, nil
+		}
+		return true, errors.Wrap(err, "failed to get issuer")
+	}
+	if metav1.IsControlledBy(issuer, cr) {
+		return false, nil
+	}
+	return true, nil
+}