fix: do not delete workspace pod on authz errors

rquitales · rquitales · commit 7b2f293c2f5c · 2025-02-07T16:24:10.000-08:00
diff --git a/agent/pkg/server/pulumi_errors.go b/agent/pkg/server/pulumi_errors.go
@@ -31,6 +31,11 @@ var knownErrors = knownPulumiErrors{
 		Reason:  "UpdateConflict",
 		Code:    409,
 	},
+	"invalid access token": {
+		Message: "Invalid access token used to authenticate with Pulumi Cloud",
+		Reason:  "InvalidAccessToken",
+		Code:    401,
+	},
 }
 
 // withPulumiErrorInfo iterates over known errors and checks if the provided error matches any of them.
diff --git a/agent/pkg/server/server.go b/agent/pkg/server/server.go
@@ -175,7 +175,8 @@ func (s *Server) Cancel() {
 func (s *Server) WhoAmI(ctx context.Context, in *pb.WhoAmIRequest) (*pb.WhoAmIResult, error) {
 	whoami, err := s.ws.WhoAmIDetails(ctx)
 	if err != nil {
-		return nil, err
+		st := status.Newf(codes.Unknown, "whoami failed: %v", err)
+		return nil, addStructuredErr(st, err).Err()
 	}
 	resp := &pb.WhoAmIResult{
 		User:          whoami.User,
diff --git a/operator/internal/controller/auto/workspace_controller.go b/operator/internal/controller/auto/workspace_controller.go
@@ -30,6 +30,7 @@ import (
 	autov1alpha1 "github.com/pulumi/pulumi-kubernetes-operator/v2/operator/api/auto/v1alpha1"
 	autov1alpha1webhook "github.com/pulumi/pulumi-kubernetes-operator/v2/operator/internal/webhook/auto/v1alpha1"
 	"github.com/pulumi/pulumi-kubernetes-operator/v2/operator/version"
+	"google.golang.org/grpc/status"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/meta"
@@ -242,6 +243,31 @@ func (r *WorkspaceReconciler) Reconcile(ctx context.Context, req ctrl.Request) (
 	initializedV, ok := pod.Annotations[PodAnnotationInitialized]
 	initialized, _ := strconv.ParseBool(initializedV)
 	if !ok || !initialized {
+		l.Info("Running whoami to ensure authentication is setup correctly with the workspace pod")
+		_, err = wc.WhoAmI(ctx, &agentpb.WhoAmIRequest{})
+		if err != nil {
+			l.Error(err, "unable to run whoami; retaining the workspace pod to retry later")
+			st := status.Convert(err)
+
+			ready.Status = metav1.ConditionFalse
+			ready.Reason = st.Code().String()
+			ready.Message = st.Message()
+
+			// Override with structured error from PulumiErrorInfo if provided.
+			if len(st.Details()) > 0 {
+				if info, ok := st.Details()[0].(*agentpb.PulumiErrorInfo); ok {
+					ready.Reason = info.Reason
+					ready.Message = info.Message
+				}
+			}
+
+			if statusErr := updateStatus(); statusErr != nil {
+				return ctrl.Result{}, statusErr
+			}
+
+			return ctrl.Result{}, err
+		}
+
 		l.Info("Running pulumi install")
 		ready.Status = metav1.ConditionFalse
 		ready.Reason = "Installing"
