fix(certificates): only delete k8s secrets for certs when last domain associated is detached

Before the code would delete the secret on every detach but now instead it checks if there are any domains associated still with the certificate before deleting.
It can do so before the association between domain and cert is nulled out a few lines up.

This wasn't caught since the exception rule is to log the error instead of blowing up. There are tests that expose this behaviour but only against a real k8s cluster

Author: helgi

rootfs/api/models/certificate.py

@@ -202,13 +202,16 @@ def detach(self, *args, **kwargs):
 
         name = '%s-cert' % self.name
         app = domain.app
-        # only delete if it exists
-        try:
-            # We raise an exception when a secret doesn't exist
-            self._scheduler._get_secret(app, name)
-            self._scheduler._delete_secret(app, name)
-        except KubeHTTPException as e:
-            logger.critical(e)
+
+        # only delete if it exists and if no other domains depend on secret
+        if len(self.domains):
+            try:
+                # We raise an exception when a secret doesn't exist
+                self._scheduler._get_secret(app, name)
+                self._scheduler._delete_secret(app, name)
+            except KubeHTTPException as e:
+                logger.critical(e)
+                raise EnvironmentError("Could not delete certificate secret {} for application {}".format(name, app))  # noqa
 
         # get config for the service
         config = self._load_service_config(app, 'router')