From 1c0197381374c5d9254c25512a5d49f26c8adb87 Mon Sep 17 00:00:00 2001 From: Igor Beliakov Date: Thu, 22 Dec 2022 11:59:37 +0100 Subject: [PATCH] fix(AzureDNS): suppress original message in adal.TokenRefreshError to prevent early CR reconciliations due to unique data (timestamp, Trace ID) that lands to CR status Signed-off-by: Igor Beliakov --- pkg/issuer/acme/dns/azuredns/azuredns.go | 39 +++++++++++++++++++++++- 1 file changed, 38 insertions(+), 1 deletion(-) diff --git a/pkg/issuer/acme/dns/azuredns/azuredns.go b/pkg/issuer/acme/dns/azuredns/azuredns.go index 51843fb96..77eb55231 100644 --- a/pkg/issuer/acme/dns/azuredns/azuredns.go +++ b/pkg/issuer/acme/dns/azuredns/azuredns.go @@ -13,6 +13,7 @@ package azuredns import ( "context" "fmt" + "net/http" "os" "strings" @@ -72,6 +73,41 @@ func NewDNSProviderCredentials(environment, clientID, clientSecret, subscription }, nil } +// Implements adal.TokenRefreshError +type tokenRefreshError struct { + Message string + Resp *http.Response +} + +func (tre tokenRefreshError) Error() string { + return tre.Message +} + +func (tre tokenRefreshError) Response() *http.Response { + return tre.Resp +} + +// suppressMessageInTokenRefreshError can be used to suppress error message contents in adal.TokenRefreshError to prevent early +// reconciliations in controller due to CR status updates with unique data (such as timestamp, Trace ID) present in response body +func suppressMessageInTokenRefreshError(originalError error) error { + if originalError == nil { + return nil + } + + // No need to overwrite errors of another type + tre, ok := originalError.(adal.TokenRefreshError) + if !ok { + return originalError + } + + err := tokenRefreshError{ + Message: "failed to refresh token", + Resp: tre.Response(), + } + + return err +} + // getFederatedSPT prepares an SPT for a Workload Identity-enabled setup func getFederatedSPT(env azure.Environment, options adal.ManagedIdentityOptions) (*adal.ServicePrincipalToken, error) { // NOTE: all related environment variables are described here: https://azure.github.io/azure-workload-identity/docs/installation/mutating-admission-webhook.html @@ -150,7 +186,8 @@ func getAuthorization(env azure.Environment, clientID, clientSecret, subscriptio // RefreshToken is absent from responses. err = newSPT.Refresh() if err != nil { - return nil, err + logf.Log.V(logf.ErrorLevel).Error(err, "failed to refresh token") + return nil, suppressMessageInTokenRefreshError(err) } accessToken := newSPT.Token()