fix: distinguish RBAC 403 from 'not installed' in FluxCD provider#6126
Merged
shahargl merged 1 commit intokeephq:mainfrom Mar 24, 2026
Merged
Conversation
Fixes keephq#5393 When a ServiceAccount lacks permission to read CustomResourceDefinitions (HTTP 403 Forbidden), the FluxCD provider was catching this as a generic exception and reporting 'Flux CD does not appear to be installed' — a misleading message that sent users down the wrong troubleshooting path. Changes: - __check_flux_installed: catch ApiException separately; re-raise on 403 so the caller can distinguish permission errors from genuine absences - validate_scopes: add an explicit ApiException catch that returns an actionable RBAC error message on 403, directing operators to add ClusterRole permissions for apiextensions.k8s.io/customresourcedefinitions Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
@lalalic is attempting to deploy a commit to the KeepHQ Team on Vercel. A member of the Team first needs to authorize it. |
dosubot
bot
added
size:M
Contributor
|
👏 Well done @lalalic! Two PRs merged already! 🎉🥳 With your second PR, you're on a roll, and your contributions are already making a difference. 🌟 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #5393
When a Kubernetes ServiceAccount lacks permission to read CustomResourceDefinitions (HTTP 403 Forbidden), the FluxCD provider was catching this exception generically and reporting:
This message is misleading — FluxCD is installed, but the ServiceAccount simply doesn't have the required RBAC permissions. Users end up troubleshooting a non-existent installation problem.
Root Cause
__check_flux_installedcaught all exceptions with a bareexcept Exception, treating a 403 Forbidden the same as a 404 Not Found.Changes
__check_flux_installed: CatchApiExceptionseparately. For status 403, re-raise so the caller can distinguish permission errors from genuine absences. Other errors still returnFalse(FluxCD not installed).validate_scopes: Add an explicitexcept ApiExceptionblock that returns an actionable error message on 403, directing operators to addClusterRolepermissions forapiextensions.k8s.io/customresourcedefinitions.Before / After
Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com