From 0515aaf8e6b9c60a52f708e0527a5982fabfd76c Mon Sep 17 00:00:00 2001
From: JasonPowr <japower@redhat.com>
Date: Fri, 27 Sep 2024 09:33:39 +0100
Subject: [PATCH] fix-fulcio-key-rotation

---
 internal/controller/fulcio/actions/generate_cert.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/internal/controller/fulcio/actions/generate_cert.go b/internal/controller/fulcio/actions/generate_cert.go
index 3a14cecad..d468d6b9f 100644
--- a/internal/controller/fulcio/actions/generate_cert.go
+++ b/internal/controller/fulcio/actions/generate_cert.go
@@ -40,8 +40,10 @@ func (g handleCert) Name() string {
 
 func (g handleCert) CanHandle(_ context.Context, instance *v1alpha1.Fulcio) bool {
 	c := meta.FindStatusCondition(instance.Status.Conditions, constants.Ready)
+	cert := meta.FindStatusCondition(instance.Status.Conditions, CertCondition)
 	return (c.Reason == constants.Pending || c.Reason == constants.Ready) && (instance.Status.Certificate == nil ||
-		!equality.Semantic.DeepDerivative(instance.Spec.Certificate, *instance.Status.Certificate))
+		!equality.Semantic.DeepDerivative(instance.Spec.Certificate, *instance.Status.Certificate)) &&
+		cert.Reason != constants.Creating
 }
 
 func (g handleCert) Handle(ctx context.Context, instance *v1alpha1.Fulcio) *action.Result {
@@ -54,6 +56,9 @@ func (g handleCert) Handle(ctx context.Context, instance *v1alpha1.Fulcio) *acti
 		)
 		return g.StatusUpdate(ctx, instance)
 	}
+	meta.FindStatusCondition(instance.Status.Conditions, CertCondition).Reason = constants.Creating
+	g.StatusUpdate(ctx, instance)
+
 	if instance.Spec.Certificate.PrivateKeyRef == nil && instance.Spec.Certificate.CARef != nil {
 		err := fmt.Errorf("missing private key for CA certificate")
 		meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{