diff --git a/pkg/operator/staticpod/certsyncpod/certsync_controller.go b/pkg/operator/staticpod/certsyncpod/certsync_controller.go
index 1b5d7ce3ad..c86ca02165 100644
--- a/pkg/operator/staticpod/certsyncpod/certsync_controller.go
+++ b/pkg/operator/staticpod/certsyncpod/certsync_controller.go
@@ -71,6 +71,13 @@ func (c *CertSyncController) sync(ctx context.Context, syncCtx factory.SyncConte
 			continue
 
 		case apierrors.IsNotFound(err) && cm.Optional:
+			configMapFile := getConfigMapDir(c.destinationDir, cm.Name)
+			if _, err := os.Stat(configMapFile); os.IsNotExist(err) {
+				// if the configmap file does not exist, there is no work to do, so skip making any live check and just return.
+				// if the configmap actually exists in the API, we'll eventually see it on the watch.
+				continue
+			}
+
 			// Check with the live call it is really missing
 			configMap, err = c.configmapGetter.Get(ctx, cm.Name, metav1.GetOptions{})
 			if err == nil {
@@ -84,7 +91,7 @@ func (c *CertSyncController) sync(ctx context.Context, syncCtx factory.SyncConte
 			}
 
 			// remove missing content
-			if err := os.RemoveAll(getConfigMapDir(c.destinationDir, cm.Name)); err != nil {
+			if err := os.RemoveAll(configMapFile); err != nil {
 				c.eventRecorder.Warningf("CertificateUpdateFailed", "Failed removing file for configmap: %s/%s: %v", c.namespace, cm.Name, err)
 				errors = append(errors, err)
 			}
@@ -168,6 +175,13 @@ func (c *CertSyncController) sync(ctx context.Context, syncCtx factory.SyncConte
 			continue
 
 		case apierrors.IsNotFound(err) && s.Optional:
+			secretFile := getSecretDir(c.destinationDir, s.Name)
+			if _, err := os.Stat(secretFile); os.IsNotExist(err) {
+				// if the secret file does not exist, there is no work to do, so skip making any live check and just return.
+				// if the secret actually exists in the API, we'll eventually see it on the watch.
+				continue
+			}
+
 			// Check with the live call it is really missing
 			secret, err = c.secretGetter.Get(ctx, s.Name, metav1.GetOptions{})
 			if err == nil {
@@ -180,12 +194,6 @@ func (c *CertSyncController) sync(ctx context.Context, syncCtx factory.SyncConte
 				continue
 			}
 
-			// check if the secret file exists, skip firing events if it does not
-			secretFile := getSecretDir(c.destinationDir, s.Name)
-			if _, err := os.Stat(secretFile); os.IsNotExist(err) {
-				continue
-			}
-
 			// remove missing content
 			if err := os.RemoveAll(secretFile); err != nil {
 				c.eventRecorder.Warningf("CertificateUpdateFailed", "Failed removing file for missing secret: %s/%s: %v", c.namespace, s.Name, err)