improve k8s error messages

Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>

Author: inteon

pkg/datagatherer/oidc/oidc.go

@@ -4,8 +4,13 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"net/url"
+	"strings"
 
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/rest"
+	"k8s.io/klog/v2"
 
 	"github.com/jetstack/preflight/api"
 	"github.com/jetstack/preflight/pkg/datagatherer"
@@ -84,11 +89,12 @@ func (g *DataGathererOIDC) Fetch() (any, int, error) {
 
 func (g *DataGathererOIDC) fetchOIDCConfig(ctx context.Context) (map[string]any, error) {
 	// Fetch the OIDC discovery document from the well-known endpoint.
-	bytes, err := g.cl.Get().AbsPath("/.well-known/openid-configuration").Do(ctx).Raw()
-	if err != nil {
-		return nil, fmt.Errorf("failed to get OIDC discovery document: %v", err)
+	result := g.cl.Get().AbsPath("/.well-known/openid-configuration").Do(ctx)
+	if err := result.Error(); err != nil {
+		return nil, fmt.Errorf("failed to get /.well-known/openid-configuration: %s", k8sErrorMessage(err))
 	}
 
+	bytes, _ := result.Raw()
 	var oidcResponse map[string]any
 	if err := json.Unmarshal(bytes, &oidcResponse); err != nil {
 		return nil, fmt.Errorf("failed to unmarshal OIDC discovery document: %v", err)
@@ -104,15 +110,48 @@ func (g *DataGathererOIDC) fetchJWKS(ctx context.Context) (map[string]any, error
 	//  - on fully private AWS EKS clusters, the URL is still public and might not
 	//    be reachable from within the cluster (https://github.com/aws/containers-roadmap/issues/2038)
 	// So we are using the default path instead, which we think should work in most cases.
-	bytes, err := g.cl.Get().AbsPath("/openid/v1/jwks").Do(ctx).Raw()
-	if err != nil {
-		return nil, fmt.Errorf("failed to get JWKS from jwks_uri: %v", err)
+	result := g.cl.Get().AbsPath("/openid/v1/jwks").Do(ctx)
+	if err := result.Error(); err != nil {
+		return nil, fmt.Errorf("failed to get /openid/v1/jwks: %s", k8sErrorMessage(err))
 	}
 
+	bytes, _ := result.Raw()
 	var jwksResponse map[string]any
 	if err := json.Unmarshal(bytes, &jwksResponse); err != nil {
 		return nil, fmt.Errorf("failed to unmarshal JWKS response: %v", err)
 	}
 
 	return jwksResponse, nil
 }
+
+// based on https://github.com/kubernetes/kubectl/blob/a64ceaeab69eed1f11a9e1bd91cf2c1446de811c/pkg/cmd/util/helpers.go#L244
+func k8sErrorMessage(err error) string {
+	if status, isStatus := err.(apierrors.APIStatus); isStatus {
+		switch s := status.Status(); {
+		case s.Reason == metav1.StatusReasonUnauthorized:
+			return fmt.Sprintf("error: You must be logged in to the server (%s)", s.Message)
+		case len(s.Reason) > 0:
+			return fmt.Sprintf("Error from server (%s): %s", s.Reason, err.Error())
+		default:
+			return fmt.Sprintf("Error from server: %s", err.Error())
+		}
+	}
+
+	if apierrors.IsUnexpectedObjectError(err) {
+		return fmt.Sprintf("Server returned an unexpected response: %s", err.Error())
+	}
+
+	if t, isURL := err.(*url.Error); isURL {
+		klog.V(4).Infof("Connection error: %s %s: %v", t.Op, t.URL, t.Err)
+		if strings.Contains(t.Err.Error(), "connection refused") {
+			host := t.URL
+			if server, err := url.Parse(t.URL); err == nil {
+				host = server.Host
+			}
+			return fmt.Sprintf("The connection to the server %s was refused - did you specify the right host or port?", host)
+		}
+		return fmt.Sprintf("Unable to connect to the server: %v", t.Err)
+	}
+
+	return fmt.Sprintf("error: %v", err)
+}

pkg/datagatherer/oidc/oidc_test.go

@@ -10,6 +10,7 @@ import (
 	"k8s.io/client-go/rest"
 
 	"github.com/jetstack/preflight/api"
+	"github.com/stretchr/testify/require"
 )
 
 func makeRESTClient(t *testing.T, ts *httptest.Server) rest.Interface {
@@ -50,72 +51,133 @@ func TestFetch_Success(t *testing.T) {
 	g := &DataGathererOIDC{cl: rc}
 
 	anyRes, count, err := g.Fetch()
-	if err != nil {
-		t.Fatalf("Fetch returned error: %v", err)
-	}
-	if count != 1 {
-		t.Fatalf("expected count 1, got %d", count)
-	}
+	require.NoError(t, err)
+	require.Equal(t, 1, count)
 
 	res, ok := anyRes.(*api.OIDCDiscoveryData)
-	if !ok {
-		t.Fatalf("unexpected result type: %T", anyRes)
-	}
+	require.True(t, ok, "unexpected result type")
 
-	if res.OIDCConfig == nil {
-		t.Fatalf("expected OIDCConfig, got nil")
-	}
-	if iss, _ := res.OIDCConfig["issuer"].(string); iss != "https://example" {
-		t.Fatalf("unexpected issuer: %v", res.OIDCConfig["issuer"])
-	}
+	require.NotNil(t, res.OIDCConfig)
+	require.Equal(t, "https://example", res.OIDCConfig["issuer"].(string))
+	require.Empty(t, res.OIDCConfigError)
 
-	if res.JWKS == nil {
-		t.Fatalf("expected JWKS, got nil")
-	}
-	if _, ok := res.JWKS["keys"].([]any); !ok {
-		t.Fatalf("expected keys to be a slice, got %#v", res.JWKS["keys"])
-	}
+	require.NotNil(t, res.JWKS)
+	_, ok = res.JWKS["keys"].([]any)
+	require.True(t, ok, "unexpected result type")
+	require.Empty(t, res.JWKSError)
 }
 
 func TestFetch_Errors(t *testing.T) {
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		switch r.URL.Path {
-		case "/.well-known/openid-configuration":
-			// return server error
-			http.Error(w, "boom", http.StatusInternalServerError)
-		case "/openid/v1/jwks":
-			// return invalid JSON
-			w.Header().Set("Content-Type", "application/json")
-			_, _ = w.Write([]byte(`}{`))
-		default:
-			http.NotFound(w, r)
-		}
-	}))
-	defer ts.Close()
-
-	rc := makeRESTClient(t, ts)
-	g := &DataGathererOIDC{cl: rc}
-
-	anyRes, _, err := g.Fetch()
-	if err != nil {
-		t.Fatalf("Fetch returned error: %v", err)
-	}
-
-	res, ok := anyRes.(*api.OIDCDiscoveryData)
-	if !ok {
-		t.Fatalf("unexpected result type: %T", anyRes)
-	}
-
-	if res.OIDCConfig != nil {
-		t.Fatalf("expected nil OIDCConfig on error, got %#v", res.OIDCConfig)
-	}
-	if res.OIDCConfigError != "failed to get OIDC discovery document: an error on the server (\"boom\") has prevented the request from succeeding" {
-		t.Fatalf("unexpected OIDCConfigError: %q", res.OIDCConfigError)
-	}
-	if res.JWKS != nil {
-		t.Fatalf("expected nil JWKS on malformed JSON, got %#v", res.JWKS)
-	}
-	if res.JWKSError != "failed to unmarshal JWKS response: invalid character '}' looking for beginning of value" {
-		t.Fatalf("unexpected JWKSError: %q", res.JWKSError)
+	tests := []struct {
+		name                        string
+		openidConfigurationResponse func(w http.ResponseWriter, r *http.Request)
+		jwksResponse                func(w http.ResponseWriter, r *http.Request)
+		expOIDCConfigError          string
+		expJWKSError                string
+	}{
+		{
+			name: "5xx errors",
+			openidConfigurationResponse: func(w http.ResponseWriter, r *http.Request) {
+				http.Error(w, "boom", http.StatusInternalServerError)
+			},
+			jwksResponse: func(w http.ResponseWriter, r *http.Request) {
+				http.Error(w, "boom", http.StatusInternalServerError)
+			},
+			expOIDCConfigError: `failed to get /.well-known/openid-configuration: Error from server (InternalError): an error on the server ("boom") has prevented the request from succeeding`,
+			expJWKSError:       `failed to get /openid/v1/jwks: Error from server (InternalError): an error on the server ("boom") has prevented the request from succeeding`,
+		},
+		{
+			name: "malformed JSON",
+			openidConfigurationResponse: func(w http.ResponseWriter, r *http.Request) {
+				w.Header().Set("Content-Type", "application/json")
+				_, _ = w.Write([]byte(`}{`))
+			},
+			jwksResponse: func(w http.ResponseWriter, r *http.Request) {
+				w.Header().Set("Content-Type", "application/json")
+				_, _ = w.Write([]byte(`}0`))
+			},
+			expOIDCConfigError: "failed to unmarshal OIDC discovery document: invalid character '}' looking for beginning of value",
+			expJWKSError:       "failed to unmarshal JWKS response: invalid character '}' looking for beginning of value",
+		},
+		{
+			name: "permission error (no body)",
+			openidConfigurationResponse: func(w http.ResponseWriter, r *http.Request) {
+				http.Error(w, "forbidden", http.StatusForbidden)
+			},
+			jwksResponse: func(w http.ResponseWriter, r *http.Request) {
+				http.Error(w, "forbidden", http.StatusForbidden)
+			},
+			expOIDCConfigError: "failed to get /.well-known/openid-configuration: Error from server (Forbidden): forbidden",
+			expJWKSError:       "failed to get /openid/v1/jwks: Error from server (Forbidden): forbidden",
+		},
+		{
+			name: "permission error (*metav1.Status body)",
+			openidConfigurationResponse: func(w http.ResponseWriter, r *http.Request) {
+				w.Header().Set("Content-Type", "application/json")
+				w.WriteHeader(http.StatusForbidden)
+				_, _ = w.Write([]byte(`{
+					"kind":"Status",
+					"apiVersion":"v1",
+					"metadata":{},
+					"status":"Failure",
+					"message":"forbidden: User \"system:serviceaccount:default:test\" cannot get path \"/.well-known/openid-configuration\"",
+					"reason":"Forbidden",
+					"details":{},
+					"code":403
+				}`))
+			},
+			jwksResponse: func(w http.ResponseWriter, r *http.Request) {
+				w.Header().Set("Content-Type", "application/json")
+				w.WriteHeader(http.StatusForbidden)
+				_, _ = w.Write([]byte(`{
+					"kind":"Status",
+					"apiVersion":"v1",
+					"metadata":{},
+					"status":"Failure",
+					"message":"forbidden: User \"system:serviceaccount:default:test\" cannot get path \"/openid/v1/jwks\"",
+					"reason":"Forbidden",
+					"details":{},
+					"code":403
+				}`))
+			},
+			expOIDCConfigError: `failed to get /.well-known/openid-configuration: Error from server (Forbidden): forbidden: User "system:serviceaccount:default:test" cannot get path "/.well-known/openid-configuration"`,
+			expJWKSError:       `failed to get /openid/v1/jwks: Error from server (Forbidden): forbidden: User "system:serviceaccount:default:test" cannot get path "/openid/v1/jwks"`,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				switch r.URL.Path {
+				case "/.well-known/openid-configuration":
+					tc.openidConfigurationResponse(w, r)
+					return
+				case "/openid/v1/jwks":
+					tc.jwksResponse(w, r)
+					return
+				default:
+					t.Fatalf("unexpected request path: %s", r.URL.Path)
+				}
+			}))
+			defer ts.Close()
+
+			rc := makeRESTClient(t, ts)
+			g := &DataGathererOIDC{cl: rc}
+
+			anyRes, count, err := g.Fetch()
+			require.NoError(t, err)
+			require.Equal(t, 1, count)
+
+			res, ok := anyRes.(*api.OIDCDiscoveryData)
+			require.True(t, ok, "unexpected result type")
+
+			require.Nil(t, res.OIDCConfig)
+			require.NotEmpty(t, res.OIDCConfigError)
+			require.Equal(t, tc.expOIDCConfigError, res.OIDCConfigError)
+
+			require.Nil(t, res.JWKS)
+			require.NotEmpty(t, res.JWKSError)
+			require.Equal(t, tc.expJWKSError, res.JWKSError)
+		})
 	}
 }