Describe the bug:

When original certificate is created:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: cert
spec:
  secretName: tls-secret
  issuerRef:
    name: issuer
    kind: ClusterIssuer
  usages:
    - server auth
    - client auth
  dnsNames:
    - localhost

tls-secret secret includes tls.crt, tls.key and ca.crt as expected. Then cert certificate changes to also include:

  keystores:
    pkcs12:
      create: true
      passwordSecretRef:
        name: pkcs12-pass
        key: password

After this nothing happens - Certificate Manager does not try to re-create/change tls-secret and add missing keystore.p12 file. Instead in order to get Certificate Manager to generate missing keystore.p12 entry, it requires to delete tls-secret and let Certificate Manager re-create it using updated specification.

Expected behaviour:

Certificate Manager should detect such specification changes for certificate and generate missing or remove extra entries whenever necessary.

Anything else we need to know?:

Environment details::

• Kubernetes version: 1.22.6, 1.24.1 (probably most versions)
• Cloud-provider/provisioner: Kind, AKS
• cert-manager version: 1.8.1
• Install method: helm

/kind bug