Merge pull request #655 from securesign/fix-fulcio-key-rotation

SECURESIGN-1405 | Fulcio key-rotation procedure does not work as expected
securesign · Sep 27, 2024 · b93b253 · b93b253
2 parents dd9537a + 0515aaf
commit b93b253
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/internal/controller/fulcio/actions/generate_cert.go b/internal/controller/fulcio/actions/generate_cert.go
@@ -40,8 +40,10 @@ func (g handleCert) Name() string {
 
 func (g handleCert) CanHandle(_ context.Context, instance *v1alpha1.Fulcio) bool {
 	c := meta.FindStatusCondition(instance.Status.Conditions, constants.Ready)
+	cert := meta.FindStatusCondition(instance.Status.Conditions, CertCondition)
 	return (c.Reason == constants.Pending || c.Reason == constants.Ready) && (instance.Status.Certificate == nil ||
-		!equality.Semantic.DeepDerivative(instance.Spec.Certificate, *instance.Status.Certificate))
+		!equality.Semantic.DeepDerivative(instance.Spec.Certificate, *instance.Status.Certificate)) &&
+		cert.Reason != constants.Creating
 }
 
 func (g handleCert) Handle(ctx context.Context, instance *v1alpha1.Fulcio) *action.Result {
@@ -54,6 +56,9 @@ func (g handleCert) Handle(ctx context.Context, instance *v1alpha1.Fulcio) *acti
 		)
 		return g.StatusUpdate(ctx, instance)
 	}
+	meta.FindStatusCondition(instance.Status.Conditions, CertCondition).Reason = constants.Creating
+	g.StatusUpdate(ctx, instance)
+
 	if instance.Spec.Certificate.PrivateKeyRef == nil && instance.Spec.Certificate.CARef != nil {
 		err := fmt.Errorf("missing private key for CA certificate")
 		meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{