From fbf57894ebc2930dce6269c051757dbf0b90860d Mon Sep 17 00:00:00 2001
From: Martin Weindel <martin.weindel@sap.com>
Date: Fri, 20 Dec 2019 14:36:53 +0100
Subject: [PATCH] reuse existing secret labels and annotations

---
 pkg/controller/issuer/certificate/reconciler.go | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/pkg/controller/issuer/certificate/reconciler.go b/pkg/controller/issuer/certificate/reconciler.go
index 2e4a24bf..15976514 100644
--- a/pkg/controller/issuer/certificate/reconciler.go
+++ b/pkg/controller/issuer/certificate/reconciler.go
@@ -514,10 +514,16 @@ func (r *certReconciler) writeCertificateSecret(objectMeta metav1.ObjectMeta, ce
 	secret.SetNamespace(namespace)
 	if secretName != nil {
 		secret.SetName(*secretName)
+		// reuse existing secret (especially keep existing annotations and labels)
+		obj, err := r.targetCluster.Resources().GetObject(secret)
+		if err == nil {
+			secret = obj.Data().(*corev1.Secret)
+		}
 	} else {
 		secret.SetGenerateName(objectMeta.GetName() + "-")
 	}
-	secret.Labels = map[string]string{LabelCertificateHashKey: specHash, LabelCertificateKey: "true"}
+	resources.SetLabel(secret, LabelCertificateHashKey, specHash)
+	resources.SetLabel(secret, LabelCertificateKey, "true")
 	secret.Data = legobridge.CertificatesToSecretData(certificates)
 	if r.cascadeDelete {
 		ownerReferences := []metav1.OwnerReference{{APIVersion: api.Version, Kind: api.CertificateKind, Name: objectMeta.GetName(), UID: objectMeta.GetUID()}}