JKS truststore.jks not found in resulting secret in v1.11.0 #5755
Description
After recently upgrading to cert-manager 1.11.0, a previously existing Certificate resource which provisions a JKS keystore caused the following repeated errors in the cert-manager logs:
I0127 00:19:41.777614 1 secret_manager.go:94] cert-manager/certificates-issuing "msg"="applying Secret data" "key"="example-ns/example" "message"="JKS Keystore keys does not contain data" "resource_kind"="Certificate" "resource_name"="example" "resource_namespace"="example-ns" "resource_version"="v1" "secret"="example-tls"
Example Certificate resource:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: example
namespace: example-ns
spec:
dnsNames:
- foo.example.com
issuerRef:
group: cert-manager.io
kind: ClusterIssuer
name: letsencrypt-prod
keystores:
jks:
create: true
passwordSecretRef:
key: foo
name: bar
secretName: example-tls
As this is a publicly trusted cert, there was previously no need for a truststore.jks, and that entry is not present in the resulting secret. Manually adding truststore.jks: foo to the resulting secret causes the errors in cert-manager to cease.
This bug is causing cert-manager to reload the secret multiple times a second in the target namespace, causing items watching that secret to take action on each reload.
Kubernetes version 1.24.9.