Improve handling of missing load balancer permissions

sd109 · sd109 · commit 35cd30df3a97 · 2025-07-22T11:47:54.000+01:00
Currently, when a user tries to create a cluster using OpenStack
credentials which are missing the load balancer permissions, CAPO
adds the finalized to the OpenStackCluster resource then fails to
create the load balancer. When the user then tries to delete the
cluster, CAPO makes a GET request to the Octavia API to get the
load balancer details and receives a 403 (permission denied)
response, so the only way to allow the cluster deletion to
proceed is to manually remove the finalizer from the
OpenStackCluster resource.

This change prevents the above edge case by only attempting to
delete the API server load balancer if the load balancer ID is
populated in the OpenStackCluster's status field.
diff --git a/controllers/openstackcluster_controller.go b/controllers/openstackcluster_controller.go
@@ -177,7 +177,7 @@ func (r *OpenStackClusterReconciler) reconcileDelete(ctx context.Context, scope
 		return reconcile.Result{}, err
 	}
 
-	if openStackCluster.Spec.APIServerLoadBalancer.IsEnabled() {
+	if (openStackCluster.Spec.APIServerLoadBalancer.IsEnabled() && openStackCluster.Status.APIServerLoadBalancer.ID != "") {
 		loadBalancerService, err := loadbalancer.NewService(scope)
 		if err != nil {
 			return reconcile.Result{}, err

Original file line number	Diff line number	Diff line change
`@@ -177,7 +177,7 @@ func (r *OpenStackClusterReconciler) reconcileDelete(ctx context.Context, scope`
`177`	`177`	`return reconcile.Result{}, err`
`178`	`178`	`}`
`179`	`179`
`180`		`- if openStackCluster.Spec.APIServerLoadBalancer.IsEnabled() {`
	`180`	`+ if (openStackCluster.Spec.APIServerLoadBalancer.IsEnabled() && openStackCluster.Status.APIServerLoadBalancer.ID != "") {`
`181`	`181`	`loadBalancerService, err := loadbalancer.NewService(scope)`
`182`	`182`	`if err != nil {`
`183`	`183`	`return reconcile.Result{}, err`