Bug: When insufficient permissions exist to watch managed resources, reconciliation halts

[everettraven]

When you create a ClusterExtension referencing a ServiceAccount with insufficient permissions to list and watch managed resources, we loop forever while waiting for the watches to successfully become established.

In the operator-controller-manager logs you'll see a looping error similar to:

W0809 19:08:12.963229       1 reflector.go:547] pkg/mod/k8s.io/client-go@v0.30.3/tools/cache/reflector.go:232: failed to list apiextensions.k8s.io/v1, Kind=CustomResourceDefinition: customresourcedefinitions.apiextensions.k8s.io is forbidden: User "system:serviceaccount:argocd:argocd-installer" cannot list resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the cluster scope

[m1kola]

We have this issue in our sample manifest. I see that #1119 which addressed this issue also fixes the sample so I closed #1195 as a duplicate of this issue.