Description of problem:

We have a customer on ROSA who ran into issues with certificates for ingress controllers. We manually recreated a certificate to fix the issue (copied from the cluster where the ACM policy should be sourcing from), however the ACM policies related to it are still not returning to 'Compliant'. We need to understand why these policies (below) are not compliant, which is blocking the certificate from being automatically synced.

The policy we expect to be compliant, which I believe is blocking the policy that syncs the certificate, is showing

status:
  compliant: NonCompliant
  details:
  - compliant: NonCompliant
    history:
    - eventName: openshift-acm-policies.rosa-ingress-certificate-check.1840d69cf2e52701
      lastTimestamp: "2025-05-19T05:30:24Z"
      message: NonCompliant; violation - ingresscontrollers [default] not found in
        namespace openshift-ingress-operator 

However that ingresscontroller exists

 oc get ingresscontrollers -n openshift-ingress-operator
NAME      AGE
default   6h2m 

Version-Release number of selected component (if applicable): 4.16.32

How reproducible:

Steps to Reproduce:

1.  
2.  
3. ...

Actual results:

 oc get policies -n klusterlet-2b15tc1qs8sjjaqauen04bamkm3hc7mg | grep -vw 'Compliant'
NAME                                                             REMEDIATION ACTION   COMPLIANCE STATE   AGE
openshift-acm-policies.rosa-ingress-certificate-check            inform               NonCompliant       395d
openshift-acm-policies.rosa-ingress-certificate-policies         enforce              Pending            395d 

Expected results:

We expect the ACM policy to have synced the updated certificate, however it did not.

Additional info: See https://issues.redhat.com/browse/OHSS-44129 for more details on the customer issue.