From b91a61d800fb271fc62f8d237df6b13cadcbc540 Mon Sep 17 00:00:00 2001
From: Rene Dekker <rene@tigera.io>
Date: Fri, 30 Jan 2026 16:25:01 -0800
Subject: [PATCH] fix(bad unit test): The unit test was missing a test case and
 also did not actually test the replacement functionality.

---
 .../certificatemanager/certificatemanager_test.go   | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/pkg/controller/certificatemanager/certificatemanager_test.go b/pkg/controller/certificatemanager/certificatemanager_test.go
index 34e3a94539..15f4b8c1c1 100644
--- a/pkg/controller/certificatemanager/certificatemanager_test.go
+++ b/pkg/controller/certificatemanager/certificatemanager_test.go
@@ -502,13 +502,24 @@ var _ = Describe("Test CertificateManagement suite", func() {
 			By("verifying it does replace a secret when dns names are missing")
 			keyPair, err := certificateManager.GetOrCreateKeyPair(cli, appSecretName, appNs, appDNSNames)
 			Expect(err).NotTo(HaveOccurred())
+			Expect(cli.Create(ctx, keyPair.Secret(appNs))).NotTo(HaveOccurred())
+			Expect(err).NotTo(HaveOccurred())
 			test.VerifyCertSANs(keyPair.GetCertificatePEM(), appDNSNames...)
 			keyPair, err = certificateManager.GetOrCreateKeyPair(cli, appSecretName, appNs, missingDNSNames)
 			Expect(err).NotTo(HaveOccurred())
 			test.VerifyCertSANs(keyPair.GetCertificatePEM(), missingDNSNames...)
 
+			By("verifying it does replace a legacy secret when dns names are missing")
+			Expect(cli.Create(ctx, legacySecret)).NotTo(HaveOccurred())
+			keyPair, err = certificateManager.GetOrCreateKeyPair(cli, legacySecretName, appNs, appDNSNames)
+			Expect(err).NotTo(HaveOccurred())
+			test.VerifyCertSANs(keyPair.GetCertificatePEM(), appDNSNames...)
+			keyPair, err = certificateManager.GetOrCreateKeyPair(cli, legacySecretName, appNs, missingDNSNames)
+			Expect(err).NotTo(HaveOccurred())
+			test.VerifyCertSANs(keyPair.GetCertificatePEM(), missingDNSNames...)
+
 			By("verifying it does not replace a BYO secret, nor throw an error")
-			Expect(cli.Create(ctx, byoSecret)).NotTo(HaveOccurred())
+			Expect(cli.Update(ctx, byoSecret)).NotTo(HaveOccurred())
 			keyPair, err = certificateManager.GetOrCreateKeyPair(cli, appSecretName, appNs, missingDNSNames)
 			Expect(err).NotTo(HaveOccurred())
 			Expect(keyPair.UseCertificateManagement()).To(BeFalse())