Merge pull request #9898 from vbotbuildovich/backport-fixes-to-v23.1.…

…x-931

[v23.1.x] operator: do not fail if certificate secret is not yet created

src/go/k8s/pkg/resources/certmanager/type_helpers.go

@@ -20,6 +20,7 @@ import (
 	cmmetav1 "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
 	"github.com/go-logr/logr"
 	corev1 "k8s.io/api/core/v1"
+	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
@@ -334,6 +335,15 @@ func isSelfSigned(ctx context.Context, nodeSecretRef *corev1.ObjectReference, ex
 		var secret corev1.Secret
 		err := k8sClient.Get(ctx, types.NamespacedName{Name: nodeSecretRef.Name, Namespace: nodeSecretRef.Namespace}, &secret)
 		if err != nil {
+			if k8serrors.IsNotFound(err) {
+				// let's assume that the certificate is not self-signed if the
+				// secret is not yet present at cluster creation time. The pods
+				// would not start until the secret is created and, at that
+				// time, a new reconcile loop will fix any inconsistencies.
+				// This allows referencing an external (shared) Certificate by
+				// pointing to its target secret.
+				return false, nil
+			}
 			return false, err
 		}
 		_, ok := secret.Data[cmmetav1.TLSCAKey]