While testing the new Azure Workload Identity Feature (#5570) in the 1.11.0-alpha.1 release, I encountered what seemed to be a busy loop, but I'm not sure.

The following is the scenario:

• cert-manager v1.11.0-alpha.1
• Azure AKS environment
• service Account on the cert-manager namespace exists
• Cluster Issuer exists and references a managed identity clientID in Azure AD
• Certificate resource is created
• Federated Identity Credentials are wrong or missing.

The last one is the important part. In this configuration the logs for the cert-manager pod are spammed with messages containing

Original Error: adal: Refresh request failed. Status Code = '400'. Response body: {"error":"invalid_request","error_description":"AADSTS70021: No matching federated identity record found for presented assertion. Assertion Issuer: 'https://germanywestcentral.oic.prod-aks.azure.com/xxxxx/yyyy/'. Assertion Subject: 'system:serviceaccount:cert-manager:cert-manager'. Assertion Audience: 'api://AzureADTokenExchange'.

I was unable to find out if other requests are handled while this bug occours or if it is an actual busy loop preventing the completion of other jobs.

I would expect the request to fail, back off and try again later. The code is probably just missing something minor. I'd expect a failing request about once a second or less.

As soon as a federated identity credential is created the loop ends. (Maybe @weisdd has some thoughts on this?)

/kind bug