Closed themanifold closed 4 years ago
Yes, we are working on a feature supporting external references. The basic idea is to allow users to specify the identifier to some resources that are not managed by config connector, e.g. the selflink to a network or the email address for a service account.
@themanifold we are adding support for this -- in addition, you can "acquire" a resource created outside of config connector by supplying the appropriate YAML.
Hello @spew @xiaobaitusi thanks for getting back to me. I already tried binding a role to a bucket created outside of KCC, but didn't manage to figure it out. Can you show me a complete example?
I've also run in to the same issue when trying to work around #68:
Tried to first add backend service with gcloud and then create the KCC resource after that, then I was able to create the url map, but ran into the issue of #68 again.
hi @themanifold and @klaraward
We are working on supporting referencing a resource that is not "in config connector". This should be available within a month's time.
However, in the meantime, you can "acquire" a resource created outside of KCC if you are able to provide a YAML matching the resource.
@spew That yaml would be pretty much the same thing as the yaml I had to create it via KCC in the first place? I did manage that, but it did not solve the problem of #68 unfortunately.
Hello @spew - can you provide a working example. I have tried what you suggested multiple times on different types of externally created resources to no avail
@themanifold what happens when you apply the YAML ? Does the resource 'change' or is it unable to be acquired?
@klaraward yes, you are correct.
@spew I'm not at work right now but I'm pretty sure it says that it can't be acquired, or that it's waiting for it. I'll post a lot message tomorrow if that will help.
Yes, that would help!
This is my usecase (rnd-project is my GCP project):
Create KCC healthcheck with:
apiVersion: compute.cnrm.cloud.google.com/v1alpha3
kind: ComputeHealthCheck
metadata:
name: test-healthcheck
namespace: rnd-project
spec:
checkIntervalSec: 10
httpHealthCheck:
port: 80
requestPath: /healthz
location: global
This creates a healthcheck in GCP.
Create backend service with gcloud (because of #68):
gcloud --project rnd-project compute backend-services create test-backendservice \
--global \
--health-checks test-healthcheck --load-balancing-scheme INTERNAL_SELF_MANAGED \
--protocol=HTTP
This creates a backend service in GCP
Create url map with:
apiVersion: compute.cnrm.cloud.google.com/v1alpha3
kind: ComputeURLMap
metadata:
name: test-urlmap
namespace: rnd-project
spec:
location: global
defaultService:
backendServiceRef:
name: test-backendservice
This does not create a url map in GCP, and the status of the k8s urlmap resource says:
status:
conditions:
- lastTransitionTime: "2019-12-05T08:51:41Z"
message: reference ComputeBackendService /test-backendservice is not ready
reason: ReferenceIsNotReady
status: "False"
type: Ready
Create a backend service KCC resource with:
apiVersion: compute.cnrm.cloud.google.com/v1alpha3
kind: ComputeBackendService
metadata:
name: test-backendservice
namespace: rnd-project
spec:
healthCheckRef:
name: test-healthcheck
location: global
loadBalancingScheme: INTERNAL_SELF_MANAGED
Delete k8s urlmap and create again with same command as 3. Now the urlmap is actually created in GCP and linked to the backend service. The status of the k8s resource briefly says
status:
conditions:
- lastTransitionTime: "2019-12-05T08:54:05Z"
message: reference ComputeBackendService rnd-project/test-backendservice is not
ready
reason: ReferenceIsNotReady
status: "False"
type: Ready
before changing to an uptodate status.
Due to #68, this is not a useful end state for me though :)
@spew this is basically same error that I'm getting, but I'm trying to associate a node pool within KCC to a GKE cluster created externally to KCC.
Thanks for the great repro case @klaraward we will be debugging this on our side in the coming weeks.
I've noticed that you've introduced the external
field since December 19th, but there are no examples to be found - please can you provide some? @spew @xiaobaitusi
Hey themanifold@, it's on a resource-by-resource basis what syntax the external field can support (that's why we try to standardize with native k8s referencing between Config Connector resources). However, for the URLMap example above, I believe the following should work:
apiVersion: compute.cnrm.cloud.google.com/v1alpha3
kind: ComputeURLMap
metadata:
name: test-urlmap
namespace: rnd-project
spec:
location: global
defaultService:
backendServiceRef:
external: https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/backendServices/test-backendservice
@kibbles-n-bytes OK, thanks for that specific example.
Are there plans for documenting all the cases you support? I just thought there might be. It seems like you're saying that the pattern is something like:
spec:
...
<api-resource>ref:
external: <google_http_api_endpoint>
Yeah, we plan to. Note that we have no particular format we accept as it's up to the underlying API whatever it accepts. Usually the selfLink (the HTTPS endpoint) is the standard, especially for referencing Compute resources. But cataloging these cases, or at least giving a recommendation per resource type, is definitely on our radar.
Do you have an estimated time @kibbles-n-bytes for when your docs will be up to date?
As of 1/23/2020 we added an "External references" section to our "Creating resource references" giving some guidance on its usage.
Since we have support for external references and some general documentation, I'm going to close this issue out for the time being. Feel free to open another issue on the per-resource documentation and guidelines if that's still something you're interested in tracking closely.
Hi @themanifold
We updated our docs for external references recently with information on how to use external
for each resource. Hopefully these doc updates will make external
easier to use.
Question: Does, or will the, config connector support the referencing of GCP resources that are not created within the config connector?
For example, creating a service account key within config connector off a service account that was created using gcloud.