weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #5663 from weisdd/fix/azure-workload-identity-early-reconcilation

Browse Source 
fix(AzureDNS): prevent early reconciliations for misconfigured Workload Identity
This commit is contained in:
jetstack-bot 2023-01-03 18:00:10 +00:00 committed by GitHub
commit d8a6ec0dcb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 38 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
pkg/issuer/acme/dns/azuredns/azuredns.go
View File

@ -13,6 +13,7 @@ package azuredns
import (
"context"
"fmt"
"net/http"
"os"
"strings"
@ -72,6 +73,41 @@ func NewDNSProviderCredentials(environment, clientID, clientSecret, subscription
}, nil
}
// Implements adal.TokenRefreshError
type tokenRefreshError struct {
Message string
Resp *http.Response
}
func (tre tokenRefreshError) Error() string {
return tre.Message
}
func (tre tokenRefreshError) Response() *http.Response {
return tre.Resp
}
// suppressMessageInTokenRefreshError can be used to suppress error message contents in adal.TokenRefreshError to prevent early
// reconciliations in controller due to CR status updates with unique data (such as timestamp, Trace ID) present in response body
func suppressMessageInTokenRefreshError(originalError error) error {
if originalError == nil {
return nil
}
// No need to overwrite errors of another type
tre, ok := originalError.(adal.TokenRefreshError)
if !ok {
return originalError
}
err := tokenRefreshError{
Message: "failed to refresh token",
Resp: tre.Response(),
}
return err
}
// getFederatedSPT prepares an SPT for a Workload Identity-enabled setup
func getFederatedSPT(env azure.Environment, options adal.ManagedIdentityOptions) (*adal.ServicePrincipalToken, error) {
// NOTE: all related environment variables are described here: https://azure.github.io/azure-workload-identity/docs/installation/mutating-admission-webhook.html
@ -150,7 +186,8 @@ func getAuthorization(env azure.Environment, clientID, clientSecret, subscriptio
// RefreshToken is absent from responses.
err = newSPT.Refresh()
if err != nil {
return nil, err
logf.Log.V(logf.ErrorLevel).Error(err, "failed to refresh token")
return nil, suppressMessageInTokenRefreshError(err)
}
accessToken := newSPT.Token()