System TLS Bootsrap: system-internal-tls bootstrap fails with operator: activator crashes before routing-serving-certs secret exists

[itdv]

In what area(s)?

/area networking
/area operator

What version of Knative?

Knative Operator v1.19.3 (Serving installed via Operator)
cert-manager v1.18.2

Expected Behavior

Bootstrap with system-internal-tls enabled should succeed, with Activator starting cleanly once certificates are provisioned.

Actual Behavior

Applying the KnativeServing CR with system-internal-tls: "Enabled" causes the Activator to immediately crashloop with the following log:

Failed to create certificate cache: failed to get activator certificate, secret "routing-serving-certs" not found.
Enabling system-internal-tls requires the secret to be present and populated with a valid certificate

Restarts of contorller/activator doesn't help, in any order.

Only bootstrapping with system-internal-tls: "Disabled" and then patching to "Enabled" after the installation works.

Steps to Reproduce the Problem

Bootstrap Knative Serving (via Operator installation) with system-internal-tls enabled on a fresh cluster, where the routing-serving-certs Certificate/Secret do not yet exist:

apiVersion: v1
kind: Namespace
metadata:
  name: knative-serving
---
apiVersion: operator.knative.dev/v1beta1
kind: KnativeServing
metadata:
  name: knative-serving
  namespace: knative-serving
spec:
  ingress:
    kourier:
      enabled: true
  config:
    network:
      ingress-class: "kourier.ingress.networking.knative.dev"
      cluster-local-domain-tls: "Enabled"
      system-internal-tls: "Enabled"
    certmanager:
      issuerRef: |
        kind: ClusterIssuer
        name: knative-selfsigned-issuer
      clusterLocalIssuerRef: |
        kind: ClusterIssuer
        name: knative-selfsigned-issuer
      systemInternalIssuerRef: |
        kind: ClusterIssuer
        name: knative-selfsigned-issuer