fix: Do not treat invalid credentials as an internal error

Author: dlipovetsky

pkg/webhook/preflight/nutanix/credentials.go

@@ -6,6 +6,7 @@ package nutanix
 import (
 	"context"
 	"fmt"
+	"strings"
 
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -181,21 +182,30 @@ func newCredentialsCheck(
 
 	// Validate the credentials using an API call.
 	_, err = nclient.GetCurrentLoggedInUser(ctx)
-	if err != nil {
+	if err == nil {
+		// We initialized both clients, and verified the credentials using the v3 client.
+		cd.nclient = nclient
+		return credentialsCheck
+	}
+
+	if strings.Contains(err.Error(), "invalid Nutanix credentials") {
 		credentialsCheck.result.Allowed = false
-		credentialsCheck.result.InternalError = true
 		credentialsCheck.result.Causes = append(credentialsCheck.result.Causes,
 			preflight.Cause{
-				Message: fmt.Sprintf("Failed to validate credentials using the v3 API client. "+
-					"The URL and/or credentials may be incorrect. (Error: %q)", err),
-				Field: "$.spec.topology.variables[[email protected]==\"clusterConfig\"].value.nutanix.prismCentralEndpoint",
+				Message: fmt.Sprintf("Failed to validate credentials using the v3 API client: %s", err),
+				Field:   "$.spec.topology.variables[[email protected]==\"clusterConfig\"].value.nutanix.prismCentralEndpoint.credentials.secretRef",
 			},
 		)
 		return credentialsCheck
 	}
 
-	// We initialized both clients, and verified the credentials using the v3 client.
-	cd.nclient = nclient
-
+	credentialsCheck.result.Allowed = false
+	credentialsCheck.result.InternalError = true
+	credentialsCheck.result.Causes = append(credentialsCheck.result.Causes,
+		preflight.Cause{
+			Message: fmt.Sprintf("Failed to validate credentials using the v3 API client: %s", err),
+			Field:   "$.spec.topology.variables[[email protected]==\"clusterConfig\"].value.nutanix.prismCentralEndpoint",
+		},
+	)
 	return credentialsCheck
 }

pkg/webhook/preflight/nutanix/credentials_test.go

@@ -212,7 +212,21 @@ func TestNewCredentialsCheck_FailedToGetCurrentLoggedInUser(t *testing.T) {
 	result := check.Run(context.Background())
 	assert.False(t, result.Allowed)
 	assert.True(t, result.InternalError)
-	assert.Contains(t, result.Causes[0].Message, "Failed to validate credentials using the v3 API client.")
+	assert.Contains(t, result.Causes[0].Message, "Failed to validate credentials using the v3 API client: "+
+		assert.AnError.Error())
+}
+
+func TestNewCredentialsCheck_GetCurrentLoggedInUserInvalidCredentials(t *testing.T) {
+	nclientFactory := func(_ prismgoclient.Credentials) (client, error) {
+		return &mocknclient{err: fmt.Errorf("invalid Nutanix credentials")}, nil
+	}
+	cd := validCheckDependencies()
+	check := newCredentialsCheck(context.Background(), nclientFactory, cd)
+	result := check.Run(context.Background())
+	assert.False(t, result.Allowed)
+	assert.False(t, result.InternalError)
+	assert.Contains(t, result.Causes[0].Message, "Failed to validate credentials using the v3 API client: "+
+		"invalid Nutanix credentials")
 }
 
 func validCheckDependencies() *checkDependencies {