weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

fix(AzureDNS): suppress original message in adal.TokenRefreshError to prevent early CR reconciliations due to unique data (timestamp, Trace ID) that lands to CR status

Browse Source 
Signed-off-by: Igor Beliakov <demtis.register@gmail.com>
This commit is contained in:
Igor Beliakov 2022-12-22 11:59:37 +01:00
parent 8641c4a697
commit 1c01973813
1 changed files with 38 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
pkg/issuer/acme/dns/azuredns/azuredns.go
View File

@ -13,6 +13,7 @@ package azuredns
import ( import (
"context" "context"
"fmt" "fmt"
"net/http"
"os" "os"
"strings" "strings"
@ -72,6 +73,41 @@ func NewDNSProviderCredentials(environment, clientID, clientSecret, subscription
}, nil }, nil
} }
// Implements adal.TokenRefreshError
type tokenRefreshError struct {
Message string
Resp *http.Response
}
func (tre tokenRefreshError) Error() string {
return tre.Message
}
func (tre tokenRefreshError) Response() *http.Response {
return tre.Resp
}
// suppressMessageInTokenRefreshError can be used to suppress error message contents in adal.TokenRefreshError to prevent early
// reconciliations in controller due to CR status updates with unique data (such as timestamp, Trace ID) present in response body
func suppressMessageInTokenRefreshError(originalError error) error {
if originalError == nil {
return nil
}
// No need to overwrite errors of another type
tre, ok := originalError.(adal.TokenRefreshError)
if !ok {
return originalError
}
err := tokenRefreshError{
Message: "failed to refresh token",
Resp: tre.Response(),
}
return err
}
// getFederatedSPT prepares an SPT for a Workload Identity-enabled setup // getFederatedSPT prepares an SPT for a Workload Identity-enabled setup
func getFederatedSPT(env azure.Environment, options adal.ManagedIdentityOptions) (*adal.ServicePrincipalToken, error) { func getFederatedSPT(env azure.Environment, options adal.ManagedIdentityOptions) (*adal.ServicePrincipalToken, error) {
// NOTE: all related environment variables are described here: https://azure.github.io/azure-workload-identity/docs/installation/mutating-admission-webhook.html // NOTE: all related environment variables are described here: https://azure.github.io/azure-workload-identity/docs/installation/mutating-admission-webhook.html
@ -150,7 +186,8 @@ func getAuthorization(env azure.Environment, clientID, clientSecret, subscriptio
// RefreshToken is absent from responses. // RefreshToken is absent from responses.
err = newSPT.Refresh() err = newSPT.Refresh()
if err != nil { if err != nil {
return nil, err logf.Log.V(logf.ErrorLevel).Error(err, "failed to refresh token")
return nil, suppressMessageInTokenRefreshError(err)
} }
accessToken := newSPT.Token() accessToken := newSPT.Token()