cert-manager · hjoshi123 · Nov 6, 2025 · inteon · Nov 12, 2025 · ThatsMrTalbot
diff --git a/controllers/combined_controller.go b/controllers/combined_controller.go
@@ -138,6 +138,7 @@ func (r *CombinedController) SetupWithManager(ctx context.Context, mgr ctrl.Mana
 
 				Client:                   cl,
 				Sign:                     r.Sign,
+				IgnoreIssuer:             r.IgnoreIssuer,
 				IgnoreCertificateRequest: r.IgnoreCertificateRequest,
 				EventRecorder:            r.EventRecorder,
 				Clock:                    r.Clock,
@@ -164,6 +165,7 @@ func (r *CombinedController) SetupWithManager(ctx context.Context, mgr ctrl.Mana
 
 				Client:                   cl,
 				Sign:                     r.Sign,
+				IgnoreIssuer:             r.IgnoreIssuer,
 				IgnoreCertificateRequest: r.IgnoreCertificateRequest,
 				EventRecorder:            r.EventRecorder,
 				Clock:                    r.Clock,

diff --git a/controllers/issuer_controller.go b/controllers/issuer_controller.go
@@ -142,6 +142,17 @@ func (r *IssuerReconciler) reconcileStatusPatch(
 		return result, nil, fmt.Errorf("unexpected get error: %v", err) // requeue with backoff
 	}
 
+	if r.IgnoreIssuer != nil {
+		ignore, err := r.IgnoreIssuer(ctx, issuer)
+		if err != nil {
+			return result, nil, fmt.Errorf("failed to check if issuer should be ignored: %v", err) // requeue with backoff
+		}
+		if ignore {
+			logger.V(1).Info("IgnoreIssuer() returned true. Ignoring.")
+			return result, nil, nil // done
+		}
+	}
+
 	readyCondition := conditions.GetIssuerStatusCondition(issuer.GetConditions(), v1alpha1.IssuerConditionTypeReady)
 
 	// Ignore Issuer if it is already permanently Failed

diff --git a/controllers/request_controller.go b/controllers/request_controller.go
@@ -66,6 +66,10 @@ type RequestController struct {
 	// and Kubernetes CSR controllers from reconciling a Request resource.
 	signer.IgnoreCertificateRequest
 
+	// IgnoreIssuer is an optional function that can prevent the Request
+	// and Kubernetes CSR controllers from reconciling an issuer resource.
+	signer.IgnoreIssuer
+
 	// EventRecorder is used for creating Kubernetes events on resources.
 	EventRecorder record.EventRecorder
 
@@ -236,16 +240,35 @@ func (r *RequestController) reconcileStatusPatch(
 
 	if err := r.Client.Get(ctx, issuerName, kubeutil.ObjectForIssuer(issuerObject)); err != nil && apierrors.IsNotFound(err) {
 		logger.V(1).Info("Issuer not found. Waiting for it to be created")
-		statusPatch.SetWaitingForIssuerExist(err)
+		if r.IgnoreIssuer == nil {
+			statusPatch.SetWaitingForIssuerExist(err)
+		}
 
 		return result, statusPatch, nil // apply patch, done
 	} else if err != nil {
 		logger.V(1).Error(err, "Unexpected error while getting Issuer")
-		statusPatch.SetUnexpectedError(err)
+
+		if r.IgnoreIssuer == nil {
+			statusPatch.SetUnexpectedError(err)
+		}
 
 		return result, nil, fmt.Errorf("unexpected get error: %v", err) // requeue with backoff
 	}
 
+	if r.IgnoreIssuer != nil {
+		ignore, err := r.IgnoreIssuer(ctx, issuerObject)
+
+		if err != nil {
+			logger.V(1).Error(err, "Unexpected error while checking if Request should be ignored")
+			return result, nil, fmt.Errorf("failed to check if Request should be ignored: %v", err) // requeue with backoff
+		}
+
+		if ignore {
+			logger.V(1).Info("Ignoring Request")
+			return result, nil, nil // done
+		}
+	}
+
 	readyCondition := conditions.GetIssuerStatusCondition(
 		issuerObject.GetConditions(),
 		v1alpha1.IssuerConditionTypeReady,