chore: clarify isCertValid

Kamil Przybyl · Kamil Przybyl · commit d8de28ad2838 · 2026-03-20T17:39:45.000+01:00
diff --git a/pkg/alb/ingress/alb_spec.go b/pkg/alb/ingress/alb_spec.go
@@ -351,8 +351,10 @@ func (r *IngressClassReconciler) cleanupCerts(ctx context.Context, ingressClass
 	return nil
 }
 
-// isCertValid checks if the certificate chain is complete. It is used for checking if
-// the cert-manager's ACME challenge is completed, or if it's sill ongoing.
+// isCertValid checks if the certificate chain is complete (contains both a leaf and intermediate CAs).
+// This is necessary because the Certificates API only validates the match between 
+// the public and private key but it does not reject incomplete chains. Since the API lacks an update call,
+// we must wait for the full chain to avoid locking the ALB into an incomplete certificate.
 func isCertValid(secret *corev1.Secret) (bool, error) {
 	tlsCert := secret.Data["tls.crt"]
 	if tlsCert == nil {
@@ -380,7 +382,8 @@ func isCertValid(secret *corev1.Secret) (bool, error) {
 		certs = append(certs, cert)
 	}
 
-	// If there are multiple certificates, it means the chain is likely complete
+    // A valid, trusted chain must contain at least 2 certificates: 
+    // the leaf (domain) and at least one intermediate CA.
 	return len(certs) > 1, nil
 }
 

Original file line number	Diff line number	Diff line change
`@@ -351,8 +351,10 @@ func (r *IngressClassReconciler) cleanupCerts(ctx context.Context, ingressClass`
`351`	`351`	`return nil`
`352`	`352`	`}`
`353`	`353`
`354`		`-// isCertValid checks if the certificate chain is complete. It is used for checking if`
`355`		`-// the cert-manager's ACME challenge is completed, or if it's sill ongoing.`
	`354`	`+// isCertValid checks if the certificate chain is complete (contains both a leaf and intermediate CAs).`
	`355`	`+// This is necessary because the Certificates API only validates the match between`
	`356`	`+// the public and private key but it does not reject incomplete chains. Since the API lacks an update call,`
	`357`	`+// we must wait for the full chain to avoid locking the ALB into an incomplete certificate.`
`356`	`358`	`func isCertValid(secret *corev1.Secret) (bool, error) {`
`357`	`359`	`tlsCert := secret.Data["tls.crt"]`
`358`	`360`	`if tlsCert == nil {`
`@@ -380,7 +382,8 @@ func isCertValid(secret *corev1.Secret) (bool, error) {`
`380`	`382`	`certs = append(certs, cert)`
`381`	`383`	`}`
`382`	`384`
`383`		`- // If there are multiple certificates, it means the chain is likely complete`
	`385`	`+ // A valid, trusted chain must contain at least 2 certificates:`
	`386`	`+ // the leaf (domain) and at least one intermediate CA.`
`384`	`387`	`return len(certs) > 1, nil`
`385`	`388`	`}`
`386`	`389`