SecretManagerSecret uses namespace as gcp project id unless annotation cnrm.cloud.google.com/project-id is set

[Isakdl]

Checklist

• [X] I did not find a related open issue.
• [X] I did not find a solution in the troubleshooting guide: (https://cloud.google.com/config-connector/docs/troubleshooting)
• [X] If this issue is time-sensitive, I have submitted a corresponding issue with GCP support.

Bug Description

The documented yaml specification does not work out of the box for SecretManagerSecret, seen here: https://cloud.google.com/config-connector/docs/reference/resource-docs/secretmanager/secretmanagersecret

The config connector is calling the api with the project id taken from the namespace field of the yaml file, instead of the actual GCP project id.

If the namespace field is left empty it takes the default namespace (default).

However if I add the annotation cnrm.cloud.google.com/project-id and set it to my project id the correct endpoint is called and my resource is created. As of now this field seems to be required to set for this resource to work, either there is information missing in the documentation or this is a bug in the implementation.

Additional Diagnostic Information

none

Kubernetes Cluster Version

1.29

Config Connector Version

1.115.0

Config Connector Mode

cluster mode

Log Output

"Update call failed: error fetching live state: error reading underlying resource: summary: Error when reading or editing SecretManagerSecret "projects/my-namespace/secrets/secret-name": googleapi: Error 403: Permission denied on resource project default.
Details:
[
  {
    "@type": "type.googleapis.com/google.rpc.Help",
    "links": [
      {
        "description": "Google developers console",
        "url": "https://console.developers.google.com"
      }
    ]
  },
  {
    "@type": "type.googleapis.com/google.rpc.ErrorInfo",
    "domain": "googleapis.com",
    "metadata": {
      "consumer": "projects/my-namespace",
      "service": "secretmanager.googleapis.com"
    },
    "reason": "CONSUMER_INVALID"
  }
]"

Steps to reproduce the issue

Apply the yaml file in the cluster without adding the annotation cnrm.cloud.google.com/project-id

YAML snippets

apiVersion: secretmanager.cnrm.cloud.google.com/v1beta1
kind: SecretManagerSecret
metadata:
  name: secret-name
  namespace: my-namespace
  labels:
    replication-type: automatic
spec:
  replication:
    automatic: true

[diviner524]

Unfortunately Config Connector needs to maintain this behavior for backward compatibility, as noted here:

https://cloud.google.com/config-connector/docs/how-to/organizing-resources/project-scoped-resources#using_the_namespace_name_as_the_project_id