improve comments

Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>

internal/controller/certificates/policies/checks.go

@@ -166,6 +166,10 @@ func SecretIssuerAnnotationsNotUpToDate(input Input) (string, string, bool) {
 	return "", "", false
 }
 
+// SecretCertificateMatchesSpec checks that the current CertificateRequest contains a CSR that is
+// signed by the key stored in the Secret. A failure is often caused by the Secret being changed
+// outside of the control of cert-manager, causing the current CertificateRequest to no longer
+// match what is stored in the Secret.
 func SecretPublicKeysDiffersFromCurrentCertificateRequest(input Input) (string, string, bool) {
 	if input.CurrentRevisionRequest == nil {
 		return "", "", false

internal/controller/certificates/policies/constants.go

@@ -30,7 +30,8 @@ const (
 	// the Input Secret could not be parsed or decoded.
 	InvalidCertificate string = "InvalidCertificate"
 	// InvalidCertificateRequest is a policy violation whereby the CSR in
-	// the Input CertificateRequest could not be parsed or decoded.
+	// the Input CertificateRequest could not be parsed or decoded or is
+	// eg. signed using an unknown key.
 	InvalidCertificateRequest string = "InvalidCertificateRequest"
 
 	// SecretMismatch is a policy violation reason for a scenario where Secret's