feat(k8s): skip reading kubeconfig if unauthorized (#2018)

Mia-Cross · web-flow · commit 9c6afd6741a7 · 2023-06-30T09:42:28.000Z
diff --git a/scaleway/helpers_k8s.go b/scaleway/helpers_k8s.go
@@ -257,6 +257,39 @@ func flattenKubeletArgs(args map[string]string) map[string]interface{} {
 	return kubeletArgs
 }
 
+func flattenKubeconfig(ctx context.Context, k8sAPI *k8s.API, region scw.Region, clusterID string) (map[string]interface{}, error) {
+	kubeconfig, err := k8sAPI.GetClusterKubeConfig(&k8s.GetClusterKubeConfigRequest{
+		Region:    region,
+		ClusterID: clusterID,
+	}, scw.WithContext(ctx))
+	if err != nil {
+		return nil, err
+	}
+
+	kubeconfigServer, err := kubeconfig.GetServer()
+	if err != nil {
+		return nil, err
+	}
+
+	kubeconfigCa, err := kubeconfig.GetCertificateAuthorityData()
+	if err != nil {
+		return nil, err
+	}
+
+	kubeconfigToken, err := kubeconfig.GetToken()
+	if err != nil {
+		return nil, err
+	}
+
+	kubeconf := map[string]interface{}{}
+	kubeconf["config_file"] = string(kubeconfig.GetRaw())
+	kubeconf["host"] = kubeconfigServer
+	kubeconf["cluster_ca_certificate"] = kubeconfigCa
+	kubeconf["token"] = kubeconfigToken
+
+	return kubeconf, nil
+}
+
 func migrateToPrivateNetworkCluster(ctx context.Context, d *schema.ResourceData, i interface{}) error {
 	k8sAPI, region, clusterID, err := k8sAPIWithRegionAndID(i, d.Id())
 	if err != nil {
diff --git a/scaleway/resource_k8s_cluster.go b/scaleway/resource_k8s_cluster.go
@@ -6,6 +6,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/hashicorp/go-cty/cty"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/customdiff"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
@@ -526,36 +527,21 @@ func resourceScalewayK8SClusterRead(ctx context.Context, d *schema.ResourceData,
 	////
 	// Read kubeconfig
 	////
-	kubeconfig, err := k8sAPI.GetClusterKubeConfig(&k8s.GetClusterKubeConfigRequest{
-		Region:    region,
-		ClusterID: clusterID,
-	}, scw.WithContext(ctx))
-	if err != nil {
-		return diag.FromErr(err)
-	}
-
-	kubeconfigServer, err := kubeconfig.GetServer()
-	if err != nil {
-		return diag.FromErr(err)
-	}
-
-	kubeconfigCa, err := kubeconfig.GetCertificateAuthorityData()
-	if err != nil {
-		return diag.FromErr(err)
-	}
-
-	kubeconfigToken, err := kubeconfig.GetToken()
+	kubeconfig, err := flattenKubeconfig(ctx, k8sAPI, region, clusterID)
 	if err != nil {
+		if is403Error(err) {
+			return diag.Diagnostics{
+				diag.Diagnostic{
+					Severity:      diag.Warning,
+					Summary:       "Cannot read kubeconfig: unauthorized",
+					Detail:        "Got 403 while reading kubeconfig, please check your permissions",
+					AttributePath: cty.GetAttrPath("kubeconfig"),
+				},
+			}
+		}
 		return diag.FromErr(err)
 	}
-
-	kubeconf := map[string]interface{}{}
-	kubeconf["config_file"] = string(kubeconfig.GetRaw())
-	kubeconf["host"] = kubeconfigServer
-	kubeconf["cluster_ca_certificate"] = kubeconfigCa
-	kubeconf["token"] = kubeconfigToken
-
-	_ = d.Set("kubeconfig", []map[string]interface{}{kubeconf})
+	_ = d.Set("kubeconfig", []map[string]interface{}{kubeconfig})
 
 	return nil
 }
