Merge pull request #166 from stackitcloud/bug/fix-resolver-acme-challenges

fix: safely handle concurrent DNS-01 challenges in Present and Cleanup

Author: nburchha

internal/resolver/resolver.go

@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"net/http"
 	"os"
+	"slices"
 	"strings"
 
 	"github.com/cert-manager/cert-manager/pkg/acme/webhook"
@@ -82,7 +83,7 @@ func (s *stackitDnsProviderResolver) Present(ch *v1alpha1.ChallengeRequest) erro
 		return err
 	}
 
-	return s.updateExistingRRSet(initResolverRes, rrSet)
+	return s.updateExistingRRSet(initResolverRes, rrSet, ch.Key)
 }
 
 // CleanUp should delete the relevant TXT record from the DNS provider console.
@@ -97,7 +98,7 @@ func (s *stackitDnsProviderResolver) CleanUp(ch *v1alpha1.ChallengeRequest) erro
 		return s.handleErrorDuringInitialization(err)
 	}
 
-	return s.handleRRSetCleanup(initResolverRes)
+	return s.handleRRSetCleanup(initResolverRes, ch.Key)
 }
 
 // Initialize will be called when the webhook first starts.
@@ -287,6 +288,7 @@ func (s *stackitDnsProviderResolver) handleErrorDuringInitialization(
 
 func (s *stackitDnsProviderResolver) handleRRSetCleanup(
 	initResolverRes *initResolverContextResult,
+	challengeKey string,
 ) error {
 	s.logger.Info("Cleaning up RRSet", zap.String("rrSetName", initResolverRes.rrSetName))
 
@@ -299,7 +301,27 @@ func (s *stackitDnsProviderResolver) handleRRSetCleanup(
 		return s.handleFetchRRSetError(err, initResolverRes.rrSetName)
 	}
 
-	return s.deleteRRSet(initResolverRes.rrSetRepository, rrSet, initResolverRes.rrSetName)
+	if rrSet == nil || rrSet.Records == nil || len(*rrSet.Records) == 0 {
+		return s.deleteRRSet(initResolverRes.rrSetRepository, rrSet, initResolverRes.rrSetName)
+	}
+
+	originalLen := len(*rrSet.Records)
+
+	*rrSet.Records = slices.DeleteFunc(*rrSet.Records, func(r stackitdnsclient.Record) bool {
+		return r.Content != nil && *r.Content == challengeKey
+	})
+
+	if len(*rrSet.Records) == originalLen {
+		s.logger.Info("Challenge key not found in RRSet records, nothing to clean up", zap.String("rrSetName", initResolverRes.rrSetName))
+
+		return nil
+	}
+
+	if len(*rrSet.Records) == 0 {
+		return s.deleteRRSet(initResolverRes.rrSetRepository, rrSet, initResolverRes.rrSetName)
+	}
+
+	return initResolverRes.rrSetRepository.UpdateRRSet(s.ctx, *rrSet)
 }
 
 func (s *stackitDnsProviderResolver) handleFetchRRSetError(err error, rrSetName string) error {
@@ -384,12 +406,31 @@ func (s *stackitDnsProviderResolver) handleRRSetNotFound(
 	return nil
 }
 
+func keyExists(records *[]stackitdnsclient.Record, challengeKey string) bool {
+	for _, record := range *records {
+		if record.Content != nil && *record.Content == challengeKey {
+			return true
+		}
+	}
+
+	return false
+}
+
 func (s *stackitDnsProviderResolver) updateExistingRRSet(
 	initResolverRes *initResolverContextResult,
 	rrSet *stackitdnsclient.RecordSet,
+	challengeKey string,
 ) error {
 	s.logger.Info("RRSet found, updating RRSet", zap.String("rrSetName", initResolverRes.rrSetName))
 
+	if !keyExists(rrSet.Records, challengeKey) {
+		s.logger.Info("Challenge key not found in existing RRSet, adding new record", zap.String("rrSetName", initResolverRes.rrSetName))
+		newRecord := stackitdnsclient.Record{
+			Content: &challengeKey,
+		}
+		*rrSet.Records = append(*rrSet.Records, newRecord)
+	}
+
 	rrSet.Ttl = &initResolverRes.acmeTxtDefaultTTL
 
 	if err := initResolverRes.rrSetRepository.UpdateRRSet(s.ctx, *rrSet); err != nil {