One #737 is implemented, it will be important to have a pre-flight check that is able to evaluate if the ServiceAccount provided in the ClusterExtension has sufficient permissions to stamp out the content for a bundle on the cluster. Having this pre-flight check would:
Prevent partial installation/upgrade of bundles due to insufficient permissions on the provided ServiceAccount by failing fast before even attempting the installation/upgrade
Provide a more user friendly error message as to the exact permissions that are missing to install/upgrade content. Without this pre-flight check the install will fail the first time it encounters a permission error. The pre-flight check will be able to identify a list of missing permissions and return that in a failing status message.
I have done some previous work related to this in Carvel's kapp project [1]. It can be used as an inspiration for our own implementation or pulled in as a library (with a lightweight abstraction on top to satisfy the Preflight interface introduced in #979).
One #737 is implemented, it will be important to have a pre-flight check that is able to evaluate if the ServiceAccount provided in the
ClusterExtensionhas sufficient permissions to stamp out the content for a bundle on the cluster. Having this pre-flight check would:I have done some previous work related to this in Carvel's kapp project [1]. It can be used as an inspiration for our own implementation or pulled in as a library (with a lightweight abstraction on top to satisfy the Preflight interface introduced in #979).
References: