From d6f1c298fe8ceaadb9b3048b5e5389b833f6fff6 Mon Sep 17 00:00:00 2001
From: Valentin Flaux <38909103+vflaux@users.noreply.github.com>
Date: Tue, 30 Sep 2025 10:40:53 +0200
Subject: [PATCH] fix(controller): panic in OCI provider build

Co-authored-by: Michel Loiseleur <97035654+mloiseleur@users.noreply.github.com>
---
 controller/execute.go      | 14 +++++++-------
 controller/execute_test.go | 17 +++++++++++++++++
 2 files changed, 24 insertions(+), 7 deletions(-)

diff --git a/controller/execute.go b/controller/execute.go
index bb7ebc5440..6d03fa455d 100644
--- a/controller/execute.go
+++ b/controller/execute.go
@@ -278,17 +278,17 @@ func buildProvider(
 		if cfg.OCIAuthInstancePrincipal {
 			if len(cfg.OCICompartmentOCID) == 0 {
 				err = fmt.Errorf("instance principal authentication requested, but no compartment OCID provided")
-			} else {
-				authConfig := oci.OCIAuthConfig{UseInstancePrincipal: true}
-				config = &oci.OCIConfig{Auth: authConfig, CompartmentID: cfg.OCICompartmentOCID}
+				break
 			}
+			authConfig := oci.OCIAuthConfig{UseInstancePrincipal: true}
+			config = &oci.OCIConfig{Auth: authConfig, CompartmentID: cfg.OCICompartmentOCID}
 		} else {
-			config, err = oci.LoadOCIConfig(cfg.OCIConfigFile)
+			if config, err = oci.LoadOCIConfig(cfg.OCIConfigFile); err != nil {
+				break
+			}
 		}
 		config.ZoneCacheDuration = cfg.OCIZoneCacheDuration
-		if err == nil {
-			p, err = oci.NewOCIProvider(*config, domainFilter, zoneIDFilter, cfg.OCIZoneScope, cfg.DryRun)
-		}
+		p, err = oci.NewOCIProvider(*config, domainFilter, zoneIDFilter, cfg.OCIZoneScope, cfg.DryRun)
 	case "rfc2136":
 		tlsConfig := rfc2136.TLSConfig{
 			UseTLS:                cfg.RFC2136UseTLS,
diff --git a/controller/execute_test.go b/controller/execute_test.go
index 84ca2d33f8..19c220f1b3 100644
--- a/controller/execute_test.go
+++ b/controller/execute_test.go
@@ -264,6 +264,23 @@ func TestBuildProvider(t *testing.T) {
 			},
 			expectedType: "*provider.CachedProvider",
 		},
+		{
+			name: "oci provider instance principal without compartment OCID",
+			cfg: &externaldns.Config{
+				Provider:                 "oci",
+				OCIAuthInstancePrincipal: true,
+				OCICompartmentOCID:       "",
+			},
+			expectedError: "instance principal authentication requested, but no compartment OCID provided",
+		},
+		{
+			name: "oci provider without config file",
+			cfg: &externaldns.Config{
+				Provider:      "oci",
+				OCIConfigFile: "",
+			},
+			expectedError: "reading OCI config file",
+		},
 		{
 			name: "coredns provider",
 			cfg: &externaldns.Config{