Metrics for updated / patched certificates should be cleaned

[rubroboletus]

Describe the bug:
We have a clusterIssuer named issuer-g2, but we have deployed ingress with annotation: "cert-manager.io/cluster-issuer: issuer-G2". In cert-manager prometheus metrics, it appeared as:

certmanager_certificate_ready_status{condition="False",issuer_group="cert-manager.io",issuer_kind="ClusterIssuer",issuer_name="issuer-G2",name="falco-ui-ingress-tls",namespace="falco"} 1

It was alerted, we have fixed the clusterIssuer name and redeployed that ingress using helm. But, metrics mentioned above is still there and also new metrics for same certificate with new clusterIssuer:

certmanager_certificate_ready_status{condition="False",issuer_group="cert-manager.io",issuer_kind="ClusterIssuer",issuer_name="issuer-G2",name="falco-ui-ingress-tls",namespace="falco"} 1
certmanager_certificate_ready_status{condition="False",issuer_group="cert-manager.io",issuer_kind="ClusterIssuer",issuer_name="issuer-g2",name="falco-ui-ingress-tls",namespace="falco"} 0
certmanager_certificate_ready_status{condition="True",issuer_group="cert-manager.io",issuer_kind="ClusterIssuer",issuer_name="issuer-G2",name="falco-ui-ingress-tls",namespace="falco"} 0
certmanager_certificate_ready_status{condition="True",issuer_group="cert-manager.io",issuer_kind="ClusterIssuer",issuer_name="issuer-g2",name="falco-ui-ingress-tls",namespace="falco"} 1
certmanager_certificate_ready_status{condition="Unknown",issuer_group="cert-manager.io",issuer_kind="ClusterIssuer",issuer_name="issuer-G2",name="falco-ui-ingress-tls",namespace="falco"} 0
certmanager_certificate_ready_status{condition="Unknown",issuer_group="cert-manager.io",issuer_kind="ClusterIssuer",issuer_name="issuer-g2",name="falco-ui-ingress-tls",namespace="falco"} 0

Expected behaviour:
When ingress / certificate object is modiffied / recreated, metrics for non-existing object should be deleted.

Steps to reproduce the bug:

1. create ingress with wrong clusterIssuer name in annotation
2. fix the clusterIssuer name in ingress
3. check cert-manager metrics

Anything else we need to know?:

Environment details::

• Kubernetes version: 1.30
• Cloud-provider/provisioner: AWS
• cert-manager version: 1.14.4
• Install method: helm

/kind bug

[ThatsMrTalbot]

If you redeployed i'm assuming the pods have been rolled? cert-manager does not persist metric information on restart.

If you curl the metric endpoint do you see incorrect metrics?

/priority awaiting-more-evidence

[rubroboletus]

If you redeployed i'm assuming the pods have been rolled? cert-manager does not persist metric information on restart.

If you curl the metric endpoint do you see incorrect metrics?

/priority awaiting-more-evidence

Lets make a demo:

1. without certificate
   
2. create Certificate object with wrong cluster issuer

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: falco
  namespace: rh-test
spec:
  secretName: falco-tls
  duration: 6h
  renewBefore: 3h
  commonName: falco.pg.moneta-containers.net
  isCA: false
  privateKey:
    algorithm: ECDSA
    encoding: PKCS1
    size: 256
  usages:
    - server auth
  dnsNames:
  - falco.pg.moneta-containers.net
  issuerRef:
    name: moneta-containers-G2
    kind: ClusterIssuer
    group: cert-manager.io

3. curl | grep falco
   
4. fix clusterIssuer in manifest and kubectl apply -f ...
5. curl | grep falco
   
6. restart cert-manager pods
7. curl | grep falco
   

[cert-manager-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
/lifecycle stale

[rubroboletus]

/remove-lifecycle stale

[mhoyer]

This looks quite related to #7249 (if not a duplicate).

[cert-manager-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
/lifecycle stale

[micw]

#7249 is closed but not fixed because of a stupid bot.
This one here is still valid and not stale.
The metrics are useless for monitoring if they are not cleared!

[erikgb]

/remove-lifecycle stale

This might be possible to fix by migrating to the collector approach we are trying out in #7736. CC: @hjoshi123

[hjoshi123]

Yup.. I am trying to fix it by migrating it to the collector.. we already created a collector for cert challenges.
/assign