replication.auto unknown field - means that we cannot create SecretManagerSecret with auto replication and customer managed encryption key

WTPascoe commented 8 months ago

Checklist

[X] I did not find a related open issue.
[X] I did not find a solution in the troubleshooting guide: (https://cloud.google.com/config-connector/docs/troubleshooting)
[X] If this issue is time-sensitive, I have submitted a corresponding issue with GCP support.

Bug Description

Attempting to apply a SecretManagerSecret yaml definition with replication.auto.customerManagedEncryption fails with the following error:

Error from server (BadRequest): error when creating "secret.yaml": SecretManagerSecret in version "v1beta1" cannot be handled as a SecretManagerSecret: strict decoding error: unknown field "spec.replication.auto"

The SecretManagerSecret docs imply that this is the correct setting.

Screenshot 2024-01-15 at 13 56 27

Additional Diagnostic Information

This looks similar to https://github.com/GoogleCloudPlatform/k8s-config-connector/issues/1081 but the conversation there implies that this is likely related to the terraform component. I believe that my issue is different because the resource cannot be created in EKS at all.

Creating SecretManagerSecret with replication set to userManaged allows us to set CMEK values as expected.

I've replicated this on an existing cluster and a new cluster created on Friday 12 January.

Kubernetes Cluster Version

Server Version: v1.28.4-gke.1083000

Config Connector Version

1.102.0

Config Connector Mode

cluster mode

Log Output

No response

Steps to reproduce the issue

Create KMS keyring - choose 'Multi-region' and select 'global' as the multi-region value
Create a software key in the keyring
attempt to create a secretmanagersecret resource using the yaml snippet

YAML snippets

apiVersion: secretmanager.cnrm.cloud.google.com/v1beta1
kind: SecretManagerSecret
metadata:
  name: my-secret
  namespace: backend
  annotations:
    cnrm.cloud.google.com/project-id: my_gcp_project_id
spec:
  replication:
    auto:
      customerManagedEncryption:
      kmsKeyRef:
        external: projects/my_gcp_project_id/locations/global/keyRings/my_keyring/cryptoKeys/my_key

diviner524 commented 8 months ago

The reference document [1] is based on the latest version of Config Connector.

spec.replication.auto is not supported in 1.102.0. [2]. Could you install the latest version and see if it works?

[1] https://cloud.google.com/config-connector/docs/reference/overview

[2] https://github.com/GoogleCloudPlatform/k8s-config-connector/blob/v1.102.0/crds/secretmanager_v1beta1_secretmanagersecret.yaml

WTPascoe commented 8 months ago

Could you install the latest version and see if it works?

I'll need a little time to work out how to do that. We deploy clusters using terraform terraform-google-modules/kubernetes-engine/google//modules/safer-cluster-update-variant 29.0.0 and I don't see anything in those docs about specifying a config_connector version.

I'll update after I work that out, but any tips would be appreciated thanks.

diviner524 commented 8 months ago

Are you able to share the terraform config snippet related to Config Connector?

It is likely you are installing config connector in a GKE cluster through GKE Add-on. If that's the case, you may need to switch to a different installation method to get a more recent version of Config Connector.

https://cloud.google.com/config-connector/docs/concepts/installation-types

WTPascoe commented 8 months ago

Switching to a manually managed later version resolves this issue, but poses some troubling questions about managing this in GKE.

It looks like config connector version is tightly coupled to gke version according to https://cloud.google.com/config-connector/docs/how-to/install-manually#switch-add-on and there is no way to upgrade without uninstalling first.

When installed as an add-on, the version of Config Connector is directly tied to the GKE version that is installed.

It also says

The version of Config Connector installed through Config Connector add-on can be significantly behind by up to 12 months if you are not always using the latest GKE minor version.

However, in a cluster running 1.28.4-gke.1083000 whichis the current latest version available on the rapid channel, we still only see config connector version 1.102.0. This is quite a lag between documentation and what's being actively deployed. We would prefer to avoid the overhead of having to manage this separately to the rest of our GKE cluster.

Is there a way to find the release schedule for this and what GKE versions wil bring new config connector versions?

GoogleCloudPlatform / k8s-config-connector