CA cert already owned by another controller

[dobesv]

Report

When trying to setup a new database using the controller, it gives an error creating the certificate. It hits the error "Object mongodb/stagingdb-ca-cert is already owned by another Certificate controller stagingdb-ca-cert"

More about the problem

The error comes from this line:

https://github.com/kubernetes-sigs/controller-runtime/blob/main/pkg/controller/controllerutil/controllerutil.go#L45

The error message:

TLS secrets handler: "create ssl by cert-manager: update cert mangager
        certs: failed to apply cert-manager certificates: failed to wait for ca
        cert: set controller reference: Object mongodb/stagingdb-ca-cert is
        already owned by another Certificate controller stagingdb-ca-cert".
        Please create your TLS secret stagingdb-ssl manually or setup
        cert-manager correctly

When cert-manager creates the secret it does set the Certificate as the controlling owner, it seems like when this operator is trying to also set the controller it gives this error.

Steps to reproduce

Try to set up a new mongodb cluster in a kubernetes cluster with cert-manager installed, and cert-manager has the option --enable-certificate-owner-ref=true. Note that this argument appears to be the default for kops created clusters.

Versions

1. Kubernetes 1.30.12
2. Operator 1.20.1

Anything else?

No response

[dobesv]

After looking into this a bit more I think it only happens if cert-manager is passed the --enable-certificate-owner-ref=true. I think this is not the default for cert-manager in general (per https://cert-manager.io/docs/usage/certificate/#cleaning-up-secrets-when-certificates-are-deleted) but in a kops managed cluster it is passing this argument by default.

[egegunes]

There's a open PR that addresses this issue: #1850 and jira ticket: https://perconadev.atlassian.net/browse/K8SPSMDB-1387