From c680694215ec846a3ffc5191d6b264a7b110a54a Mon Sep 17 00:00:00 2001
From: Tim Ramlot <42113979+inteon@users.noreply.github.com>
Date: Tue, 18 Jun 2024 10:12:50 +0200
Subject: [PATCH] only retry when encountering a Vault non-InvalidData error

Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
---
 internal/vault/vault.go                           | 3 ++-
 pkg/controller/certificaterequests/vault/vault.go | 7 ++++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/internal/vault/vault.go b/internal/vault/vault.go
index 5bf82cebd9b..479023800ca 100644
--- a/internal/vault/vault.go
+++ b/internal/vault/vault.go
@@ -38,6 +38,7 @@ import (
 	internalinformers "github.com/cert-manager/cert-manager/internal/informers"
 	v1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
 	cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
+	cmerrors "github.com/cert-manager/cert-manager/pkg/util/errors"
 	"github.com/cert-manager/cert-manager/pkg/util/pki"
 )
 
@@ -220,7 +221,7 @@ func (v *Vault) setToken(ctx context.Context, client Client) error {
 		return nil
 	}
 
-	return fmt.Errorf("error initializing Vault client: tokenSecretRef, appRoleSecretRef, or Kubernetes auth role not set")
+	return cmerrors.NewInvalidData("error initializing Vault client: tokenSecretRef, appRoleSecretRef, or Kubernetes auth role not set")
 }
 
 func (v *Vault) newConfig() (*vault.Config, error) {
diff --git a/pkg/controller/certificaterequests/vault/vault.go b/pkg/controller/certificaterequests/vault/vault.go
index 194ef736ddd..419b1cdd7c5 100644
--- a/pkg/controller/certificaterequests/vault/vault.go
+++ b/pkg/controller/certificaterequests/vault/vault.go
@@ -30,6 +30,7 @@ import (
 	crutil "github.com/cert-manager/cert-manager/pkg/controller/certificaterequests/util"
 	"github.com/cert-manager/cert-manager/pkg/issuer"
 	logf "github.com/cert-manager/cert-manager/pkg/logs"
+	cmerrors "github.com/cert-manager/cert-manager/pkg/util/errors"
 )
 
 const (
@@ -87,11 +88,15 @@ func (v *Vault) Sign(ctx context.Context, cr *v1.CertificateRequest, issuerObj v
 		return nil, nil
 	}
 
-	// TODO: distinguish between network errors and other which might warrant a failure.
 	if err != nil {
 		message := "Failed to initialise vault client for signing"
 		v.reporter.Pending(cr, err, "VaultInitError", message)
 		log.Error(err, message)
+
+		if cmerrors.IsInvalidData(err) {
+			return nil, nil // Don't retry, wait for the issuer to be updated
+		}
+
 		return nil, err // Return error to requeue and retry
 	}