Open npitts0811 opened 7 months ago
We are seeing this issue once again and outside of the targetResources. We have seen this behavior happen when adding destIPRanges. We now have two rules that are in this state and we are not sure why. We tried to re-create this error and have failed to do so. We are going to open a support ticket and reference this issue.
status:
conditions:
- lastTransitionTime: "2024-06-13T17:47:48Z"
message: 'Update call failed: error generating the diffs from desired state: required
value "priority" could not be found'
reason: UpdateFailed
status: "False"
type: Ready
kind: compute#firewallPolicyRule
observedGeneration: 2
ruleTupleCount: 14
When I describe the object the priority is there in the spec.
spec:
action: allow
description: Test
direction: EGRESS
enableLogging: true
firewallPolicyRef:
name: policyname
match:
destIPRanges:
- 1.2.3.5/32
- 1.2.3.4/32
layer4Configs:
- ipProtocol: tcp
ports:
- "443"
priority: 201001
The rule did update as all we did was add IP's to the list. The rule is now in a state that it likely cannot be recovered from. We have left the objects in place in case support may want to see them.
We are now on this version of Config Connector. 1.114.1
The sample yaml references a FirewallPolicy (firewallPolicyRef: external: firewallPolicies/123456789098764) but that yaml is not provided? Would it be possible to get a copy of a sample yaml for that?
Hello,
Here is a scrubbed example of a firewallpolicy that the broken rules are in.
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeFirewallPolicy
metadata:
annotations:
cnrm.cloud.google.com/management-conflict-prevention-policy: none
cnrm.cloud.google.com/state-into-spec: merge
name: production-01
namespace: coolnamespace
spec:
description: An organizational level policy to associate to all production folders.
Define rules in p01 branch of a cool repo.
organizationRef:
external: organizations/111111111
shortName: nottherealname
Checklist
Bug Description
When updating
external
network ref values in a ComputeFirewallPolicyRule resource'stargetResources
field, certain conditions result in either 1) the change not taking effect in GCP despite the k8s resource showing asUpToDate
or 2) the resource entersUpdateFailed
state with the following message:Additional Diagnostic Information
Success scenarios:
targetResources
listtargetResources
listFailure scenarios:
targetResources
listWe were not able to identify what causes the ComputeFirewallPolicyRule resource to remain in
UpToDate
with no changes in GCP (scenario 1 in Bug Description) vs the resource enteringUpdateFailed
state with the "priority" message (scenario 2 in Bug Description).Kubernetes Cluster Version
v1.26.11-gke.1055000
Config Connector Version
1.111.0
Config Connector Mode
namespaced mode (default)
Log Output
No response
Steps to reproduce the issue
targetResources
and at least oneexternal
network path.targetResources
list and remove an existing one.The resulting resource will either remain
UpToDate
with no changes to GCP or enterUpdateFailed
with the message below:YAML snippets