search

GoogleCloudPlatform / k8s-config-connector

GCP Config Connector, a Kubernetes add-on for managing GCP resources
https://cloud.google.com/config-connector/docs/overview
Apache License 2.0
861 stars 202 forks source link

IAMPolicyMember for Cloud Functions showing DCL error #1082

Open tommycouri-bestbuy opened 6 months ago

tommycouri-bestbuy commented 6 months ago

Checklist

Bug Description

I'm testing out the IAMPolicyMember for Cloud Functions Invoker and seeing a DCL error when applying

Additional Diagnostic Information

Update call failed: error getting referenced DCL resource, with reference project_name/: error retrieving resource 'project_name/' with GroupVersionKind 'cloudfunctions.cnrm.cloud.google.com/v1beta1, Kind=CloudFunctionsFunction': resource name may not be empty

Kubernetes Cluster Version

v1.28.3

Config Connector Version

1.111.0

Config Connector Mode

namespaced mode (default)

Log Output

Update call failed: error getting referenced DCL resource, with reference project_name/: error retrieving resource 'project_name/' with GroupVersionKind 'cloudfunctions.cnrm.cloud.google.com/v1beta1, Kind=CloudFunctionsFunction': resource name may not be empty

Steps to reproduce the issue

Applying the yaml file below using kubectl

YAML snippets

`apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name:  cf-test-invoker
spec:
  member: group:GROUP_NAME
  role: roles/cloudfunctions.invoker
  resourceRef:
    apiVersion: cloudfunctions.cnrm.cloud.google.com/v1beta1
    kind: CloudFunctionsFunction
    external: projects/project_name/locations/us-central1/functions/test-invoker`
diviner524 commented 6 months ago

Looks to be a bug in DCL IAM client which doesn't handle the case of external reference:

https://github.com/GoogleCloudPlatform/k8s-config-connector/blob/v1.112.0/pkg/controller/iam/iamclient/dcliamclient.go#L279

Does it work if you have the CloudFunctions resource being managed as a KRM resource and use name/namespace instead of external to refer to the resource?

tommycouri-bestbuy commented 6 months ago

@diviner524 - I tried deploying this using "name" instead of "external" with a KRM controlled resource. I'm seeing the same error:

Warning UpdateFailed 10s (x5 over 40s) iampolicymember-controller Update call failed: error getting referenced DCL resource, with reference project_name/projects/project_name/locations/us-central1/functions/cloudfunctionsfunction-sample-httpstrigger: error retrieving resource 'project_name/projects/project_name/locations/us-central1/functions/cloudfunctionsfunction-sample-httpstrigger' with GroupVersionKind 'cloudfunctions.cnrm.cloud.google.com/v1beta1, Kind=CloudFunctionsFunction': invalid resource name "projects/project_name/locations/us-central1/functions/cloudfunctionsfunction-sample-httpstrigger": [may not contain '/']

tommycouri-bestbuy commented 5 months ago

Follow up question - would this fix be applied to both CFv1 as well as CFv2?

tommycouri-bestbuy commented 2 weeks ago

Hello - any update on this issue?