cert-manager.io/v1 : Why does the name of the Secret holding my signed Certificate not match what I specified in the Certificate's yaml?

Question

Using cert-manager operator 1.11.0 provided by "The cert-manager maintainers".

My yaml is as follows:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: hfeqm03-selfsigned-cert
  namespace: mq
spec:
  commonName: hfeqm03
  issuerRef:
    name: selfsigned-issuer
    kind: ClusterIssuer
  secretName: hfeqm03-selfsigned-cert
  subject:
    organizations:
    - IBM

When I apply this, the system generates a Secret called hfeqm03-selfsigned-cert-czqj4 - in other words it appends characters to the end of what I specified in spec: secretName. This does not match what the documentation says here: https://cert-manager.io/docs/usage/certificate/#creating-certificate-resources

My question is: Why does the final name of the resulting Secret not match what I specified in spec: secretName ?

Looking at the Status and Events of the generated Certificate, I see the following.

Status:
  Conditions:
    Last Transition Time:        2023-03-22T10:34:31Z
    Message:                     Issuing certificate as Secret does not exist
    Observed Generation:         1
    Reason:                      DoesNotExist
    Status:                      True
    Type:                        Issuing
    Last Transition Time:        2023-03-22T10:34:33Z
    Message:                     Issuing certificate as Secret does not exist
    Observed Generation:         1
    Reason:                      DoesNotExist
    Status:                      False
    Type:                        Ready
  Next Private Key Secret Name:  hfeqm03-selfsigned-cert-czqj4
Events:
  Type    Reason     Age                   From                                       Message
  ----    ------     ----                  ----                                       -------
  Normal  Issuing    4m18s                 cert-manager-certificates-trigger          Issuing certificate as Secret does not exist
  Normal  Requested  4m16s                 cert-manager-certificates-request-manager  Created new CertificateRequest resource "hfeqm03-selfsigned-cert-pk22n"
  Normal  Requested  4m16s                 cert-manager-certificates-request-manager  Created new CertificateRequest resource "hfeqm03-selfsigned-cert-f9f5s"
  Normal  Generated  4m9s                  cert-manager-certificates-key-manager      Stored new private key in temporary Secret resource "hfeqm03-selfsigned-cert-chv7v"
  Normal  Generated  4m8s (x2 over 4m17s)  cert-manager-certificates-key-manager      Stored new private key in temporary Secret resource "hfeqm03-selfsigned-cert-czqj4"
  Normal  Requested  4m7s                  cert-manager-certificates-request-manager  Created new CertificateRequest resource "hfeqm03-selfsigned-cert-wzxvl"
  Normal  Requested  4m7s                  cert-manager-certificates-request-manager  Created new CertificateRequest resource "hfeqm03-selfsigned-cert-8rqzz"

I am expecting some sort of message saying something like Moved new private key from temporary Secret resource "hfeqm03-selfsigned-cert-czqj4" to permanent Secret resource "hfeqm03-selfsigned-cert".

Answer 1

I have resolved my problem.

The underlying error was that the ClusterIssuer that was referenced by my Certificate yaml did not exist !

However, instead of barfing at the point of trying to create a Certificate, my Certificate was created. And it had the qualities/characteristics that I didn't recognise, and that I listed in my question.

Solution: I created my ClusterIssuer, and then it all worked as expected. (My Certificate was created, and my Secret was created, with the required name.)