Refactor authenticator building

Prefer explicit error checking to the "fallthrough" pattern.

nodeup/pkg/model/bootstrap_client.go

@@ -49,31 +49,41 @@ func (b BootstrapClientBuilder) Build(c *fi.NodeupModelBuilderContext) error {
 	var authenticator bootstrap.Authenticator
 	var resolver resolver.Resolver
 
-	var err error
 	switch b.CloudProvider {
 	case kops.CloudProviderAWS:
-		authenticator, err = awsup.NewAWSAuthenticator(b.Cloud.Region())
-	case kops.CloudProviderGCE:
-		authenticator, err = gcetpmsigner.NewTPMAuthenticator()
-
-		discovery, err := gcediscovery.New()
+		a, err := awsup.NewAWSAuthenticator(b.Cloud.Region())
 		if err != nil {
 			return err
 		}
-		resolver = discovery
+		authenticator = a
+	case kops.CloudProviderGCE:
+		a, err := gcetpmsigner.NewTPMAuthenticator()
+		if err != nil {
+			return err
+		}
+		authenticator = a
+		r, err := gcediscovery.New()
+		if err != nil {
+			return err
+		}
+		resolver = r
 	case kops.CloudProviderHetzner:
-		authenticator, err = hetzner.NewHetznerAuthenticator()
+		a, err := hetzner.NewHetznerAuthenticator()
+		if err != nil {
+			return err
+		}
+		authenticator = a
 	case kops.CloudProviderOpenstack:
-		authenticator, err = openstack.NewOpenstackAuthenticator()
+		a, err := openstack.NewOpenstackAuthenticator()
+		if err != nil {
+			return err
+		}
+		authenticator = a
 
 	default:
 		return fmt.Errorf("unsupported cloud provider for authenticator %q", b.CloudProvider)
 	}
 
-	if err != nil {
-		return err
-	}
-
 	baseURL := url.URL{
 		Scheme: "https",
 		Host:   net.JoinHostPort("kops-controller.internal."+b.Cluster.ObjectMeta.Name, strconv.Itoa(wellknownports.KopsControllerPort)),