Certificate not re-issued after keystore format change

[stephan2012]

Describe the bug:

When changing an existing Certificate request to issue a pkcs12 keystore instead of jks, cert-manager does not issue a new certificate. In other words, the secret still contains just keystore.jks.

Expected behaviour:

cert-manager should issue a new certificate when the keystore section in the Certificate CRD changes.

Steps to reproduce the bug:

Create a Certificate that includes something like

spec:
  keystores:
    jks:
      create: true
      passwordSecretRef:
        key: secret
        name: foobar

and change it to

spec:
  keystores:
    pkcs12:
      create: true
      passwordSecretRef:
        key: secret
        name: foobar

Anything else we need to know?:

N/A

Environment details::

• Kubernetes version: v1.23.9
• Cloud-provider/provisioner: kubeadm
• cert-manager version: v1.9.1
• Install method: Helm

/kind bug

[jetstack-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

[stephan2012]

The issue has not gone away just because there is no activity …

[wallrj]

@stephan2012 We've explored this approach in @sathyanarays 's #5597 PR, but realized that there is no need to re-issue the certificate when the desired keystore config diverges from the actual keystore config in the Secret.
Instead we are planning to alter one of the existing Secret controllers in cert-manager to encode the tls.key private key to the desired keystore formats without making certificate signing request.

I'll close this issue as a duplicate of #5246 and document the new approach there.