weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

trigger-controller: further comments on shouldBackoffReissuingOnFailure

Browse Source 
Signed-off-by: Maël Valais <mael@vls.dev>
Co-authored-by: Irbe Krumina <irbekrm@gmail.com>
This commit is contained in:
Maël Valais 2021-04-01 17:28:04 +02:00
parent a2bbdb7c51
commit c1bf35f4ed
1 changed files with 11 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
pkg/controller/certificates/trigger/trigger_controller.go
View File

@ -199,27 +199,29 @@ func (c *controller) ProcessItem(ctx context.Context, key string) error {
return nil
}
// shouldBackoffReissuingOnFailure tells us if we should back off
// re-issuing for this certificate and for how much time.
// shouldBackoffReissuingOnFailure tells us if we should back-off re-issuing for
// an hour or not. Notably, it returns no back-off when the certificate doesn't
// match the "next" certificate (since a mismatch means that this certificate
// gets re-issued immediately).
//
// The request can be left nil, in which case no back off is required.
// Additionally, if the certificate doesn't match the request, no back
// off is required because it means the request will have to be re-issued.
// Note that the request can be left nil: in that case, the returned back-off
// will be 0 since it means the CR must be created immediately.
func shouldBackoffReissuingOnFailure(log logr.Logger, c clock.Clock, crt *cmapi.Certificate, nextCR *cmapi.CertificateRequest) (backoff bool, delay time.Duration) {
if crt.Status.LastFailureTime == nil {
return false, 0
}
// We want to immediately trigger a re-issuance when the certificate
// changes, even when it is failing. In order to detect a "change", we
// compare the "next" CR with the certificate spec and reissue and there is
// a mismatch.
// changes. In order to detect a "change", we compare the "next" CR with the
// certificate spec and reissue and there is a mismatch.
//
// Note that the "next" CR is the only CR that matters when looking at
// whether the certificate still matches its CR. The "current" CR matches
// the previous spec of the certificate, so we don't want to be looking at
// the current CR.
if nextCR != nil {
if nextCR == nil {
log.V(logf.InfoLevel).Info("next CertificateRequest not available, skipping checking if Certificate matches the CertificateRequest")
} else {
mismatches, err := certificates.RequestMatchesSpec(nextCR, crt.Spec)
if err != nil {
log.V(logf.InfoLevel).Info("next CertificateRequest cannot be decoded, skipping checking if Certificate matches the CertificateRequest")
@ -229,8 +231,6 @@ func shouldBackoffReissuingOnFailure(log logr.Logger, c clock.Clock, crt *cmapi.
log.V(logf.ExtendedInfoLevel).WithValues("mismatches", mismatches).Info("Certificate is failing but the Certificate differs from CertificateRequest, backoff is not required")
return false, 0
}
} else {
log.V(logf.InfoLevel).Info("next CertificateRequest not available, skipping checking if Certificate matches the CertificateRequest")
}
now := c.Now()