chore: clarify isCertValid

Kamil Przybyl · Kamil Przybyl · commit 4a5c7605285c · 2026-03-20T17:26:55.000+01:00
diff --git a/pkg/alb/ingress/alb_spec.go b/pkg/alb/ingress/alb_spec.go
@@ -351,8 +351,10 @@ func (r *IngressClassReconciler) cleanupCerts(ctx context.Context, ingressClass
 	return nil
 }
 
-// isCertValid checks if the certificate chain is complete. It is used for checking if
-// the cert-manager's ACME challenge is completed, or if it's sill ongoing.
+// isCertValid returns true only if the certificate chain is complete (leaf + intermediates).
+// This is critical because the Certificates API lacks an update method; once a certificate 
+// is created, it is immutable. We must wait for the full chain to avoid being stuck with 
+// a temporary placeholder or an incomplete ACME response that cannot be corrected.
 func isCertValid(secret *corev1.Secret) (bool, error) {
 	tlsCert := secret.Data["tls.crt"]
 	if tlsCert == nil {
@@ -380,7 +382,7 @@ func isCertValid(secret *corev1.Secret) (bool, error) {
 		certs = append(certs, cert)
 	}
 
-	// If there are multiple certificates, it means the chain is likely complete
+    // A single block is often an incomplete ACME response.
 	return len(certs) > 1, nil
 }
 

Original file line number	Diff line number	Diff line change
`@@ -351,8 +351,10 @@ func (r *IngressClassReconciler) cleanupCerts(ctx context.Context, ingressClass`
`351`	`351`	`return nil`
`352`	`352`	`}`
`353`	`353`
`354`		`-// isCertValid checks if the certificate chain is complete. It is used for checking if`
`355`		`-// the cert-manager's ACME challenge is completed, or if it's sill ongoing.`
	`354`	`+// isCertValid returns true only if the certificate chain is complete (leaf + intermediates).`
	`355`	`+// This is critical because the Certificates API lacks an update method; once a certificate`
	`356`	`+// is created, it is immutable. We must wait for the full chain to avoid being stuck with`
	`357`	`+// a temporary placeholder or an incomplete ACME response that cannot be corrected.`
`356`	`358`	`func isCertValid(secret *corev1.Secret) (bool, error) {`
`357`	`359`	`tlsCert := secret.Data["tls.crt"]`
`358`	`360`	`if tlsCert == nil {`
`@@ -380,7 +382,7 @@ func isCertValid(secret *corev1.Secret) (bool, error) {`
`380`	`382`	`certs = append(certs, cert)`
`381`	`383`	`}`
`382`	`384`
`383`		`- // If there are multiple certificates, it means the chain is likely complete`
	`385`	`+ // A single block is often an incomplete ACME response.`
`384`	`386`	`return len(certs) > 1, nil`
`385`	`387`	`}`
`386`	`388`