From c680694215ec846a3ffc5191d6b264a7b110a54a Mon Sep 17 00:00:00 2001 From: Tim Ramlot <42113979+inteon@users.noreply.github.com> Date: Tue, 18 Jun 2024 10:12:50 +0200 Subject: [PATCH] only retry when encountering a Vault non-InvalidData error Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com> --- internal/vault/vault.go | 3 ++- pkg/controller/certificaterequests/vault/vault.go | 7 ++++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/internal/vault/vault.go b/internal/vault/vault.go index 5bf82cebd9b..479023800ca 100644 --- a/internal/vault/vault.go +++ b/internal/vault/vault.go @@ -38,6 +38,7 @@ import ( internalinformers "github.com/cert-manager/cert-manager/internal/informers" v1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1" + cmerrors "github.com/cert-manager/cert-manager/pkg/util/errors" "github.com/cert-manager/cert-manager/pkg/util/pki" ) @@ -220,7 +221,7 @@ func (v *Vault) setToken(ctx context.Context, client Client) error { return nil } - return fmt.Errorf("error initializing Vault client: tokenSecretRef, appRoleSecretRef, or Kubernetes auth role not set") + return cmerrors.NewInvalidData("error initializing Vault client: tokenSecretRef, appRoleSecretRef, or Kubernetes auth role not set") } func (v *Vault) newConfig() (*vault.Config, error) { diff --git a/pkg/controller/certificaterequests/vault/vault.go b/pkg/controller/certificaterequests/vault/vault.go index 194ef736ddd..419b1cdd7c5 100644 --- a/pkg/controller/certificaterequests/vault/vault.go +++ b/pkg/controller/certificaterequests/vault/vault.go @@ -30,6 +30,7 @@ import ( crutil "github.com/cert-manager/cert-manager/pkg/controller/certificaterequests/util" "github.com/cert-manager/cert-manager/pkg/issuer" logf "github.com/cert-manager/cert-manager/pkg/logs" + cmerrors "github.com/cert-manager/cert-manager/pkg/util/errors" ) const ( @@ -87,11 +88,15 @@ func (v *Vault) Sign(ctx context.Context, cr *v1.CertificateRequest, issuerObj v return nil, nil } - // TODO: distinguish between network errors and other which might warrant a failure. if err != nil { message := "Failed to initialise vault client for signing" v.reporter.Pending(cr, err, "VaultInitError", message) log.Error(err, message) + + if cmerrors.IsInvalidData(err) { + return nil, nil // Don't retry, wait for the issuer to be updated + } + return nil, err // Return error to requeue and retry }