feat: return auth error

guilhem · guilhem · commit efeb3da635b9 · 2026-01-08T16:12:23.000+01:00
If controller encounter a auth error (token invalid), error stay silent
to user
diff --git a/internal/controller/linodecluster_controller.go b/internal/controller/linodecluster_controller.go
@@ -207,7 +207,7 @@ func (r *LinodeClusterReconciler) reconcile(
 
 	if err := addMachineToLB(ctx, clusterScope); err != nil {
 		logger.Error(err, "Failed to add Linode machine to loadbalancer option")
-		return retryIfTransient(err, logger)
+		return retryIfTransient(err)
 	}
 
 	return res, nil
diff --git a/internal/controller/linodemachine_controller.go b/internal/controller/linodemachine_controller.go
@@ -178,8 +178,13 @@ func (r *LinodeMachineReconciler) reconcile(ctx context.Context, logger logr.Log
 	//nolint:dupl // Code duplication is simplicity in this case.
 	defer func() {
 		if err != nil {
-			// Only set failure reason if the error is not retryable.
-			if linodego.ErrHasStatus(err, http.StatusBadRequest) {
+			// Set specific failure reason for authentication errors
+			if util.IsAuthenticationError(err) {
+				failureReason = util.CredentialError
+			}
+
+			// Set failure status for terminal errors (400, 401, 403, 404)
+			if util.IsTerminalError(err) {
 				machineScope.LinodeMachine.Status.FailureReason = util.Pointer(failureReason)
 				machineScope.LinodeMachine.Status.FailureMessage = util.Pointer(err.Error())
 				machineScope.LinodeMachine.SetCondition(metav1.Condition{
@@ -535,7 +540,7 @@ func (r *LinodeMachineReconciler) reconcilePreflightMetadataSupportConfigure(ctx
 	_, err := machineScope.LinodeClient.GetRegion(ctx, machineScope.LinodeMachine.Spec.Region)
 	if err != nil {
 		logger.Error(err, fmt.Sprintf("Failed to fetch region %s", machineScope.LinodeMachine.Spec.Region))
-		return retryIfTransient(err, logger)
+		return retryIfTransient(err)
 	}
 	imageName := reconciler.DefaultMachineControllerLinodeImage
 	if machineScope.LinodeMachine.Spec.Image != "" {
@@ -544,7 +549,7 @@ func (r *LinodeMachineReconciler) reconcilePreflightMetadataSupportConfigure(ctx
 	_, err = machineScope.LinodeClient.GetImage(ctx, imageName)
 	if err != nil {
 		logger.Error(err, fmt.Sprintf("Failed to fetch image %s", imageName))
-		return retryIfTransient(err, logger)
+		return retryIfTransient(err)
 	}
 	machineScope.LinodeMachine.SetCondition(metav1.Condition{
 		Type:   ConditionPreflightMetadataSupportConfigured,
@@ -559,7 +564,7 @@ func (r *LinodeMachineReconciler) reconcilePreflightCreate(ctx context.Context,
 	createOpts, err := newCreateConfig(ctx, machineScope, r.GzipCompressionEnabled, logger)
 	if err != nil {
 		logger.Error(err, "Failed to create Linode machine InstanceCreateOptions")
-		return retryIfTransient(err, logger)
+		return retryIfTransient(err)
 	}
 
 	linodeInstance, retryAfter, err := createInstance(ctx, logger, machineScope, createOpts)
@@ -585,7 +590,7 @@ func (r *LinodeMachineReconciler) reconcilePreflightCreate(ctx context.Context,
 			Reason:  util.CreateError,
 			Message: err.Error(),
 		})
-		return retryIfTransient(err, logger)
+		return retryIfTransient(err)
 	}
 
 	machineScope.LinodeMachine.SetCondition(metav1.Condition{
@@ -643,11 +648,11 @@ func (r *LinodeMachineReconciler) reconcilePreflightConfigure(ctx context.Contex
 		instanceConfig, err := getDefaultInstanceConfig(ctx, machineScope, instanceID)
 		if err != nil {
 			logger.Error(err, "Failed to get default instance configuration")
-			return retryIfTransient(err, logger)
+			return retryIfTransient(err)
 		}
 		if _, err := machineScope.LinodeClient.UpdateInstanceConfig(ctx, instanceID, instanceConfig.ID, configData); err != nil {
 			logger.Error(err, "Failed to update default instance configuration", "configuration", configData)
-			return retryIfTransient(err, logger)
+			return retryIfTransient(err)
 		}
 	}
 
@@ -729,7 +734,7 @@ func (r *LinodeMachineReconciler) reconcileUpdate(ctx context.Context, logger lo
 
 	var linodeInstance *linodego.Instance
 	if linodeInstance, err = machineScope.LinodeClient.GetInstance(ctx, instanceID); err != nil {
-		return retryIfTransient(err, logger)
+		return retryIfTransient(err)
 	}
 	// update the status
 	machineScope.LinodeMachine.Status.InstanceState = &linodeInstance.Status
diff --git a/internal/controller/linodemachine_controller_helpers.go b/internal/controller/linodemachine_controller_helpers.go
@@ -68,15 +68,16 @@ var (
 	errNoPublicIPv6SLAACAddrs = errors.New("no public SLAAC address set")
 )
 
-func retryIfTransient(err error, logger logr.Logger) (ctrl.Result, error) {
+func retryIfTransient(err error) (ctrl.Result, error) {
 	if util.IsRetryableError(err) {
 		if linodego.ErrHasStatus(err, http.StatusTooManyRequests) {
 			return ctrl.Result{RequeueAfter: reconciler.DefaultLinodeTooManyRequestsErrorRetryDelay}, nil
 		}
 		return ctrl.Result{RequeueAfter: reconciler.DefaultMachineControllerRetryDelay}, nil
 	}
-	logger.Error(err, "unknown Linode API error")
-	return ctrl.Result{RequeueAfter: reconciler.DefaultMachineControllerRetryDelay}, nil
+	// Return the error for terminal errors (400, 401, 403, 404) so that
+	// the reconciler can set appropriate conditions and events
+	return ctrl.Result{}, err
 }
 
 func fillCreateConfig(createConfig *linodego.InstanceCreateOptions, machineScope *scope.MachineScope) {
diff --git a/internal/controller/linodeobjectstoragebucket_controller.go b/internal/controller/linodeobjectstoragebucket_controller.go
@@ -140,7 +140,7 @@ func (r *LinodeObjectStorageBucketReconciler) reconcile(ctx context.Context, bSc
 	// Handle deleted buckets
 	if !bScope.Bucket.DeletionTimestamp.IsZero() {
 		if err := r.reconcileDelete(ctx, bScope); err != nil {
-			return retryIfTransient(err, bScope.Logger)
+			return retryIfTransient(err)
 		}
 		return res, nil
 	}
diff --git a/util/errors.go b/util/errors.go
@@ -29,8 +29,9 @@ var (
 
 // List of failure reasons to use in the status fields of our resources
 var (
-	CreateError  = "CreateError"
-	DeleteError  = "DeleteError"
-	UpdateError  = "UpdateError"
-	UnknownError = "UnknownError"
+	CreateError     = "CreateError"
+	DeleteError     = "DeleteError"
+	UpdateError     = "UpdateError"
+	UnknownError    = "UnknownError"
+	CredentialError = "CredentialError"
 )
diff --git a/util/helpers.go b/util/helpers.go
@@ -61,6 +61,24 @@ func IsRetryableError(err error) bool {
 		linodego.ErrorFromError) || errors.Is(err, http.ErrHandlerTimeout) || errors.Is(err, os.ErrDeadlineExceeded) || errors.Is(err, io.ErrUnexpectedEOF)
 }
 
+// IsAuthenticationError determines if the error is an authentication or authorization error (401/403)
+// These errors are terminal and should not be retried without user intervention
+func IsAuthenticationError(err error) bool {
+	return linodego.ErrHasStatus(err, http.StatusUnauthorized, http.StatusForbidden)
+}
+
+// IsTerminalError determines if the error is terminal and should not be retried.
+// Terminal errors include bad requests (400), authentication errors (401/403), and not found (404)
+func IsTerminalError(err error) bool {
+	return linodego.ErrHasStatus(
+		err,
+		http.StatusBadRequest,
+		http.StatusUnauthorized,
+		http.StatusForbidden,
+		http.StatusNotFound,
+	)
+}
+
 // GetInstanceID determines the instance ID from the ProviderID
 func GetInstanceID(providerID *string) (int, error) {
 	if providerID == nil {

Original file line number	Diff line number	Diff line change
`@@ -207,7 +207,7 @@ func (r *LinodeClusterReconciler) reconcile(`
`207`	`207`
`208`	`208`	`if err := addMachineToLB(ctx, clusterScope); err != nil {`
`209`	`209`	`logger.Error(err, "Failed to add Linode machine to loadbalancer option")`
`210`		`- return retryIfTransient(err, logger)`
	`210`	`+ return retryIfTransient(err)`
`211`	`211`	`}`
`212`	`212`
`213`	`213`	`return res, nil`
Original file line number	Diff line number	Diff line change
`@@ -68,15 +68,16 @@ var (`
`68`	`68`	`errNoPublicIPv6SLAACAddrs = errors.New("no public SLAAC address set")`
`69`	`69`	`)`
`70`	`70`
`71`		`-func retryIfTransient(err error, logger logr.Logger) (ctrl.Result, error) {`
	`71`	`+func retryIfTransient(err error) (ctrl.Result, error) {`
`72`	`72`	`if util.IsRetryableError(err) {`
`73`	`73`	`if linodego.ErrHasStatus(err, http.StatusTooManyRequests) {`
`74`	`74`	`return ctrl.Result{RequeueAfter: reconciler.DefaultLinodeTooManyRequestsErrorRetryDelay}, nil`
`75`	`75`	`}`
`76`	`76`	`return ctrl.Result{RequeueAfter: reconciler.DefaultMachineControllerRetryDelay}, nil`
`77`	`77`	`}`
`78`		`- logger.Error(err, "unknown Linode API error")`
`79`		`- return ctrl.Result{RequeueAfter: reconciler.DefaultMachineControllerRetryDelay}, nil`
	`78`	`+ // Return the error for terminal errors (400, 401, 403, 404) so that`
	`79`	`+ // the reconciler can set appropriate conditions and events`
	`80`	`+ return ctrl.Result{}, err`
`80`	`81`	`}`
`81`	`82`
`82`	`83`	`func fillCreateConfig(createConfig linodego.InstanceCreateOptions, machineScope scope.MachineScope) {`
Original file line number	Diff line number	Diff line change
`@@ -140,7 +140,7 @@ func (r *LinodeObjectStorageBucketReconciler) reconcile(ctx context.Context, bSc`
`140`	`140`	`// Handle deleted buckets`
`141`	`141`	`if !bScope.Bucket.DeletionTimestamp.IsZero() {`
`142`	`142`	`if err := r.reconcileDelete(ctx, bScope); err != nil {`
`143`		`- return retryIfTransient(err, bScope.Logger)`
	`143`	`+ return retryIfTransient(err)`
`144`	`144`	`}`
`145`	`145`	`return res, nil`
`146`	`146`	`}`