Skip to content

Commit f903b25

Browse files
Kamil PrzybylKamil Przybyl
Kamil Przybyl
authored and
Kamil Przybyl
committed
chore: clarify isCertValid
1 parent 4a8352c commit f903b25

File tree

1 file changed

+11
-6
lines changed

1 file changed

+11
-6
lines changed

pkg/alb/ingress/alb_spec.go

Lines changed: 11 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -276,9 +276,9 @@ func (r *IngressClassReconciler) loadCerts(
276276
// The tls.crt should contain both the leaf certificate and the intermediate CA certificates.
277277
// If it contains only the leaf certificate, the ACME challenge likely hasn't finished.
278278
// Therefore the incomplete certificate shouldn't be loaded as the updates upon them are impossible.
279-
complete, err := isCertValid(secret)
279+
complete, err := isCertReady(secret)
280280
if err != nil {
281-
return nil, fmt.Errorf("failed to validate certificate: %w", err)
281+
return nil, fmt.Errorf("failed to check if certificate is ready: %w", err)
282282
}
283283
if !complete {
284284
// TODO: Requeue, instead of returning error - the ACME challenge hasn't finished yet
@@ -351,9 +351,13 @@ func (r *IngressClassReconciler) cleanupCerts(ctx context.Context, ingressClass
351351
return nil
352352
}
353353

354-
// isCertValid checks if the certificate chain is complete. It is used for checking if
355-
// the cert-manager's ACME challenge is completed, or if it's sill ongoing.
356-
func isCertValid(secret *corev1.Secret) (bool, error) {
354+
// isCertReady checks if the certificate chain is complete (leaf + intermediates).
355+
// This is required during ACME challenges (e.g., cert-manager), where a race condition
356+
// can occur where the Secret may temporarily contain only the leaf certificate before the
357+
// full chain is written. Because the STACKIT Application Load Balancer Certificates API
358+
// only validates the cryptographic key match and is immutable (no update call),
359+
// we must wait for the full chain to avoid locking the ALB with an incomplete certificate.
360+
func isCertReady(secret *corev1.Secret) (bool, error) {
357361
tlsCert := secret.Data["tls.crt"]
358362
if tlsCert == nil {
359363
return false, fmt.Errorf("tls.crt not found in secret")
@@ -380,7 +384,8 @@ func isCertValid(secret *corev1.Secret) (bool, error) {
380384
certs = append(certs, cert)
381385
}
382386

383-
// If there are multiple certificates, it means the chain is likely complete
387+
// A valid, trusted chain must contain at least 2 certificates:
388+
// the leaf (domain) and at least one intermediate CA.
384389
return len(certs) > 1, nil
385390
}
386391

0 commit comments

Comments
 (0)