diff --git a/controllers/certificaterequest_controller.go b/controllers/certificaterequest_controller.go index aef3aed..31f7b60 100644 --- a/controllers/certificaterequest_controller.go +++ b/controllers/certificaterequest_controller.go @@ -333,7 +333,7 @@ func (r *CertificateRequestReconciler) reconcileStatusPatch( isPermanentError := errors.As(err, &signer.PermanentError{}) pastMaxRetryDuration := r.Clock.Now().After(cr.CreationTimestamp.Add(r.MaxRetryDuration)) if !isPendingError && (isPermanentError || pastMaxRetryDuration) { - // fail permanently + // Fail permanently. logger.V(1).Error(err, "Permanent CertificateRequest error. Marking as failed.") _, failedAt := conditions.SetCertificateRequestStatusCondition( r.Clock, @@ -348,8 +348,14 @@ func (r *CertificateRequestReconciler) reconcileStatusPatch( r.EventRecorder.Eventf(&cr, corev1.EventTypeWarning, "PermanentError", "Failed permanently to sign CertificateRequest: %s", err) return result, crStatusPatch, reconcile.TerminalError(err) // done, apply patch } else { - // retry - logger.V(1).Error(err, "Retryable CertificateRequest error.") + // Signing is pending, wait more. + // + // The PendingError has a misleading name: although it is an error, + // it isn't an error. It just means that we should poll again later. + // Its message gives the reason why the signing process is still in + // progress. Thus, we don't log any error. + reason := err.Error() + logger.V(1).WithValues("reason", reason).Info("Signing of CertificateRequest is in still in progress. ") conditions.SetCertificateRequestStatusCondition( r.Clock, cr.Status.Conditions, @@ -357,7 +363,7 @@ func (r *CertificateRequestReconciler) reconcileStatusPatch( cmapi.CertificateRequestConditionReady, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, - fmt.Sprintf("Failed to sign CertificateRequest, will retry: %s", err), + fmt.Sprintf("Signing of CertificateRequest is still in progress, will retry: %s", err), ) r.EventRecorder.Eventf(&cr, corev1.EventTypeWarning, "RetryableError", "Failed to sign CertificateRequest, will retry: %s", err)