[BUG] AGC ALB Controller and Cert-Manager certificate auto generation

[danil2308]

Describe the bug
I'm trying to auto generate my certificates using cert-manager.io/cluster-issuer annotation on my Gateway resource but the alb-controller is not able to program the Gateway resource as the https listener is using a certificate that hasn't been signed by Let's Encrypt (as the Gateway is not programmed so the http listener is not working either, preventing cert-manager from doing domain validations)

I'd say this is related to next two issues:
#4864
#4758

I've followed next guide https://learn.microsoft.com/en-us/azure/application-gateway/for-containers/how-to-cert-manager-lets-encrypt-gateway-api?tabs=byo, it works if I follow next individual steps

1. Create an http listener
2. Create an independent certificate object
3. Add an https listener

But it doesn't when using cluster-issuer annotation and hostname listener.spec which is a cert-manager feature exposed at https://cert-manager.io/docs/usage/gateway/

To Reproduce

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: gateway-01
  namespace: $NAMESPACE
  annotations:
    alb.networking.azure.io/alb-id: $ALB_ID
    cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
  gatewayClassName: azure-alb-external
  listeners:
  - name: http-listener
    protocol: HTTP
    port: 80
    allowedRoutes:
        namespaces:
          from: All
  - name: HTTPS-listener
    protocol: HTTPS
    port: 443
    hostname: $FQDN
    tls:
      mode: Terminate
      certificateRefs:
        - name: $CERTIFICATE_NAME
    allowedRoutes:
        namespaces:
          from: All
  addresses:
  - type: alb.networking.azure.io/alb-frontend
    value: appgwcontainers

Expected behavior
I'd expect the Gateway resource to be programmed and start listening on the http listener to allow cert-manager to perform its domain validation, sign the certificate and once the k8s secret is created; the gateway https listener would start working.
Screenshots

Environment (please complete the following information):

$ kubectl version
Client Version: v1.33.3
Kustomize Version: v5.6.0
Server Version: v1.32.7
alb-controller version: 1.8.12
cert-manager version: 1.19.2

Additional context
I can confirm the certificate object is being created by cert-manager, yet it doesn't generate the secret object as it cannot validate the domain ownership.

[danil2308]

To whoever that may result interested, things seem to be working when using the next two annotation on the gateway resource,

    acme.cert-manager.io/http01-edit-in-place: "true"
    cert-manager.io/issue-temporary-certificate: "true"

I still haven't decided whether to use this approach on a production-like environment.

[microsoft-github-policy-service]

@JackStromberg, @chasewilson would you be able to assist?

[JackStromberg]

Hello,

This is unfortunately expected behavior. If no certificate is present, the configuration cannot reconcile because the required secret does not exist. Using cert‑manager to issue a temporary certificate (as triggered by the annotation) provides a placeholder that allows the configuration to reconcile successfully. This is an effective approach when you want to configure everything at once rather than first creating the HTTP listener (which won't have the secret reference that doesn't exist) and adding HTTPS after the certificate is issued (as described in the documentation).

Hope this helps!
Jack