Should upgrade status managed fields from CSA to SSA when ServerSideApply feature gate enabled

[erikgb]

Describe the bug:

We enabled the cert-manager ServerSideApply feature gate in our clusters some time ago (months). While this has been working perfectly fine, I notice that resources managedFields seem incorrect. This is not an immediate issue, but could get problematic if some fields transition to unset as the desired state.

One random example (irrelevant fields omitted for clarity) is below. It seems like all/most cert-manager resources are affected, so this is a generic issue.

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  creationTimestamp: '2023-09-19T10:23:42Z'
  managedFields:
    - apiVersion: cert-manager.io/v1
      fieldsType: FieldsV1
      fieldsV1:
        'f:status':
          'f:conditions':
            'k:{"type":"Issuing"}':
              .: {}
              'f:lastTransitionTime': {}
              'f:message': {}
              'f:observedGeneration': {}
              'f:reason': {}
              'f:status': {}
              'f:type': {}
          'f:revision': {}
      manager: cert-manager-certificates-issuing
      operation: Apply
      subresource: status
      time: '2024-04-26T13:12:18Z'
    - apiVersion: cert-manager.io/v1
      fieldsType: FieldsV1
      fieldsV1:
        'f:status':
          'f:conditions':
            'k:{"type":"Issuing"}':
              .: {}
              'f:lastTransitionTime': {}
              'f:observedGeneration': {}
              'f:type': {}
      manager: cert-manager-certificates-trigger
      operation: Apply
      subresource: status
      time: '2024-04-26T13:12:18Z'
    - apiVersion: cert-manager.io/v1
      fieldsType: FieldsV1
      fieldsV1:
        'f:status': {}
      manager: cert-manager-certificates-key-manager
      operation: Apply
      subresource: status
      time: '2024-04-26T13:12:19Z'
    - apiVersion: cert-manager.io/v1
      fieldsType: FieldsV1
      fieldsV1:
        'f:status':
          'f:conditions':
            'k:{"type":"Ready"}':
              .: {}
              'f:lastTransitionTime': {}
              'f:message': {}
              'f:observedGeneration': {}
              'f:reason': {}
              'f:status': {}
              'f:type': {}
          'f:notAfter': {}
          'f:notBefore': {}
          'f:renewalTime': {}
      manager: cert-manager-certificates-readiness
      operation: Apply
      subresource: status
      time: '2024-04-26T13:12:19Z'
    - apiVersion: cert-manager.io/v1
      fieldsType: FieldsV1
      fieldsV1:
        'f:status':
          .: {}
          'f:conditions':
            .: {}
            'k:{"type":"Ready"}':
              .: {}
              'f:observedGeneration': {}
              'f:type': {}
      manager: cert-manager-certificates-readiness
      operation: Update
      subresource: status
      time: '2023-09-26T13:13:32Z'
status:
  conditions:
    - lastTransitionTime: '2024-01-24T13:11:58Z'
      message: Certificate is up to date and has not expired
      observedGeneration: 2
      reason: Ready
      status: 'True'
      type: Ready
    - lastTransitionTime: '2024-04-26T13:12:18Z'
      message: The certificate has been successfully issued
      observedGeneration: 2
      reason: Issued
      status: 'False'
      type: Issuing
  notAfter: '2024-05-02T13:12:18Z'
  notBefore: '2024-04-26T13:11:48Z'
  renewalTime: '2024-04-29T13:12:18Z'
  revision: 78

Expected behaviour:

No managedFields with any cert-manager component as manager has operation: Update

Steps to reproduce the bug:

I am not sure if this is a complete reproducer, but I would expect it to be:

1. Install cert-manager with default options.
2. Create a Certificate and wait for it to be fully reconciled.
3. Enable cert-manager ServerSideApply feature gate.
4. Wait for the existing Certificate to be fully reconciled - ideally also renewed.

Anything else we need to know?:

I suspect #6364 to be related, but it might not also be. Anyway, it shows the kind of issues that may arise if this bug remains unfixed.

I would be happy to submit a PR to fix this, but first I think we need to discuss the details of the preferred approach to fix it. After migrating some of our own operators from CSA to SSA, I would like to use K8s client-go UpgradeManagedFields helper - which is used by kubectl to perform the same task. After kubernetes/kubernetes#123484 it is also possible to upgrade managed fields for the status subresource.

Environment details::

• Kubernetes version: 1.27 (OpenShift 4.14)
• Cloud-provider/provisioner: on-prem
• cert-manager version: 1.14.5
• Install method: e.g. helm/static manifests: Helm as master, but inflated to manifests and installed using kustomize.

/kind bug

[inteon]

Hi @erikgb,
Indeed, it seems like cert-manager does not cleanup the managedFields very well.
However, I think the managedFields that you show in this PR would not cause any problems, right?
As far as I understand, the Ready condition's ownership is shared between the Apply and Update operation.
This will probably only result in an issue/ bug if we were to remove the Ready condition, which is something that cert-manager does not do (I think).