From b8e40825ce812f537c7d4aa7ba0ed91bb6f6b945 Mon Sep 17 00:00:00 2001
From: Ashley Davis <ashley.davis@venafi.com>
Date: Thu, 18 Apr 2024 13:04:46 +0100
Subject: [PATCH] add comments explaining issuerRef validation logic

Signed-off-by: Ashley Davis <ashley.davis@venafi.com>
---
 internal/apis/certmanager/validation/certificate.go | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/internal/apis/certmanager/validation/certificate.go b/internal/apis/certmanager/validation/certificate.go
index c79eeca7c..3bba759ce 100644
--- a/internal/apis/certmanager/validation/certificate.go
+++ b/internal/apis/certmanager/validation/certificate.go
@@ -216,16 +216,27 @@ func validateIssuerRef(issuerRef cmmeta.ObjectReference, fldPath *field.Path) fi
 
 	issuerRefPath := fldPath.Child("issuerRef")
 	if issuerRef.Name == "" {
+		// all issuerRefs must specify a name
 		el = append(el, field.Required(issuerRefPath.Child("name"), "must be specified"))
 	}
+
 	if issuerRef.Group == "" || issuerRef.Group == internalcmapi.SchemeGroupVersion.Group {
+		// if the user leaves the group blank, it's effectively defaulted to the built-in issuers (i.e. cert-manager.io)
+		// if the cert-manager.io group is used, we can do extra validation on the Kind
+		// if an external group is used, we don't have a mechanism currently to determine which Kinds are valid for those groups
+		// so we don't check
 		switch issuerRef.Kind {
 		case "":
+			// do nothing
+
 		case "Issuer", "ClusterIssuer":
+			// do nothing
+
 		default:
 			el = append(el, field.Invalid(issuerRefPath.Child("kind"), issuerRef.Kind, "must be one of Issuer or ClusterIssuer"))
 		}
 	}
+
 	return el
 }