Skip to content

fix: cert-manager Certificate health check for Ready=False with Issuing message #26097

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
timgriffiths wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix: cert-manager Certificate health check for Ready=False with Issuing message #26097

timgriffiths wants to merge 1 commit into from

Conversation

@timgriffiths
Copy link
Contributor

@timgriffiths timgriffiths commented Jan 21, 2026

Summary

Fixes cert-manager Certificate resources being incorrectly marked as "Degraded" during renewal/issuance when the Ready condition is False with an "Issuing" message, but before the separate Issuing condition type is added.

Problem

When a cert-manager Certificate is being issued or renewed, there's a race condition in the condition updates:

  1. cert-manager first sets Ready=False with a message containing "Issuing" (e.g., "Issuing certificate as Secret does not exist")
  2. Only afterward does cert-manager add the separate type: Issuing condition

The existing health check (added in commit 8886874) only looks for the Issuing condition type, missing this transitional state. This causes certificates to briefly show as "Degraded" in ArgoCD during normal renewal operations.

Solution

This PR adds an additional check: when Ready=False, also check if the message contains "Issuing". If so, return "Progressing" status instead of "Degraded".

This aligns with the existing behavior that already returns "Progressing" when the Issuing condition type is present.

Changes

  • Modified resource_customizations/cert-manager.io/Certificate/health.lua to check for "Issuing" in the Ready condition message
  • Added test case progressing_issuing_message_only.yaml to cover this scenario

Checklist

  • Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
  • The title of the PR states what changed and the related issues number (used for the release note).
  • The title of the PR conforms to the Conventional Commits spec.
  • I've updated documentation as required by this PR.
  • I have signed my commits with DCO (gpg sign alone is not enough).
  • I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
  • My build is green (troubleshooting builds).
  • My new feature complies with the feature contribution guidelines.
  • If there are changes to the UI, I've included screenshots or videos.

@timgriffiths timgriffiths requested a review from a team as a code owner January 21, 2026 22:17
@bunnyshell
Copy link

bunnyshell bot commented Jan 21, 2026
edited
Loading

🔴 Preview Environment stopped on Bunnyshell

See: Environment Details | Pipeline Logs

Available commands (reply to this comment):

  • 🔵 /bns:start to start the environment
  • 🚀 /bns:deploy to redeploy the environment
  • /bns:delete to remove the environment

ppapapetrou76
ppapapetrou76 approved these changes Jan 22, 2026
View reviewed changes
Copy link
Contributor

@ppapapetrou76 ppapapetrou76 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM @timgriffiths but can you please sign-off your commits

@timgriffiths
fix: cert-manager Certificate health check for Ready=False with Issui…
438d91c 
…ng message

This fixes a race condition where cert-manager sets Ready=False with a message
containing 'Issuing' before the Issuing condition type is added. Previously,
this would incorrectly show the certificate as Degraded instead of Progressing.

The fix checks the Ready condition's message for 'Issuing' text when
Ready=False, treating it as Progressing rather than Degraded.

Signed-off-by: Tim Griffiths <griffiths.timothy@gmail.com>
Signed-off-by: Timothy Griffiths <griffiths.timothy@gmail.com>
@timgriffiths timgriffiths force-pushed the fix/cert-manager-certificate-issuing-message branch from bff5e98 to 438d91c Compare January 22, 2026 09:09
@timgriffiths
Copy link
Contributor Author

timgriffiths commented Jan 22, 2026

@ppapapetrou76 thank you for the review. Commit sign off fixed

nitishfy
nitishfy approved these changes Jan 22, 2026
View reviewed changes
Copy link
Member

@nitishfy nitishfy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nitishfy nitishfy nitishfy approved these changes

+2 more reviewers

@ppapapetrou76 ppapapetrou76 ppapapetrou76 approved these changes

@allanyung allanyung allanyung approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@timgriffiths @ppapapetrou76 @allanyung @nitishfy