Referencing GCP resources that are not created with the config connector

[themanifold]

Question: Does, or will the, config connector support the referencing of GCP resources that are not created within the config connector?

For example, creating a service account key within config connector off a service account that was created using gcloud.

[xiaobaitusi]

Yes, we are working on a feature supporting external references. The basic idea is to allow users to specify the identifier to some resources that are not managed by config connector, e.g. the selflink to a network or the email address for a service account.

[spew]

@themanifold we are adding support for this -- in addition, you can "acquire" a resource created outside of config connector by supplying the appropriate YAML.

[themanifold]

Hello @spew @xiaobaitusi thanks for getting back to me. I already tried binding a role to a bucket created outside of KCC, but didn't manage to figure it out. Can you show me a complete example?

[klaraward]

I've also run in to the same issue when trying to work around #68:

• Add healthcheck with KCC
• Add backend service with gcloud command
• Try to add url map with KCC, did not work since it didn't find the backend service.

Tried to first add backend service with gcloud and then create the KCC resource after that, then I was able to create the url map, but ran into the issue of #68 again.

[spew]

hi @themanifold and @klaraward

We are working on supporting referencing a resource that is not "in config connector". This should be available within a month's time.

However, in the meantime, you can "acquire" a resource created outside of KCC if you are able to provide a YAML matching the resource.

[klaraward]

@spew That yaml would be pretty much the same thing as the yaml I had to create it via KCC in the first place? I did manage that, but it did not solve the problem of #68 unfortunately.

[themanifold]

Hello @spew - can you provide a working example. I have tried what you suggested multiple times on different types of externally created resources to no avail

[spew]

@themanifold what happens when you apply the YAML ? Does the resource 'change' or is it unable to be acquired?

[spew]

@klaraward yes, you are correct.

[themanifold]

@spew I'm not at work right now but I'm pretty sure it says that it can't be acquired, or that it's waiting for it. I'll post a lot message tomorrow if that will help.

[spew]

Yes, that would help!

[klaraward]

This is my usecase (rnd-project is my GCP project):

1. Create KCC healthcheck with:

   apiVersion: compute.cnrm.cloud.google.com/v1alpha3
   kind: ComputeHealthCheck
   metadata:
   name: test-healthcheck
   namespace: rnd-project
   spec:
   checkIntervalSec: 10
   httpHealthCheck:
   port: 80
   requestPath: /healthz
   location: global

   This creates a healthcheck in GCP.

2. Create backend service with gcloud (because of #68):

   gcloud --project rnd-project compute backend-services create test-backendservice \
   --global \
   --health-checks test-healthcheck --load-balancing-scheme INTERNAL_SELF_MANAGED \
   --protocol=HTTP

   This creates a backend service in GCP

3. Create url map with:

   apiVersion: compute.cnrm.cloud.google.com/v1alpha3
   kind: ComputeURLMap
   metadata:
   name: test-urlmap
   namespace: rnd-project
   spec:
   location: global
   defaultService:
   backendServiceRef:
     name: test-backendservice

   This does not create a url map in GCP, and the status of the k8s urlmap resource says:

   status:
   conditions:
   - lastTransitionTime: "2019-12-05T08:51:41Z"
   message: reference ComputeBackendService /test-backendservice is not ready
   reason: ReferenceIsNotReady
   status: "False"
   type: Ready

4. Create a backend service KCC resource with:

   apiVersion: compute.cnrm.cloud.google.com/v1alpha3
   kind: ComputeBackendService
   metadata:
   name: test-backendservice
   namespace: rnd-project
   spec:
   healthCheckRef:
   name: test-healthcheck
   location: global
   loadBalancingScheme: INTERNAL_SELF_MANAGED

5. Delete k8s urlmap and create again with same command as 3. Now the urlmap is actually created in GCP and linked to the backend service. The status of the k8s resource briefly says

   status:
   conditions:
   - lastTransitionTime: "2019-12-05T08:54:05Z"
   message: reference ComputeBackendService rnd-project/test-backendservice is not
     ready
   reason: ReferenceIsNotReady
   status: "False"
   type: Ready

   before changing to an uptodate status.

Due to #68, this is not a useful end state for me though :)

[themanifold]

@spew this is basically same error that I'm getting, but I'm trying to associate a node pool within KCC to a GKE cluster created externally to KCC.

[spew]

Thanks for the great repro case @klaraward we will be debugging this on our side in the coming weeks.

[themanifold]

I've noticed that you've introduced the external field since December 19th, but there are no examples to be found - please can you provide some? @spew @xiaobaitusi

[kibbles-n-bytes]

Hey themanifold@, it's on a resource-by-resource basis what syntax the external field can support (that's why we try to standardize with native k8s referencing between Config Connector resources). However, for the URLMap example above, I believe the following should work:

apiVersion: compute.cnrm.cloud.google.com/v1alpha3
kind: ComputeURLMap
metadata:
  name: test-urlmap
  namespace: rnd-project
spec:
  location: global
  defaultService:
    backendServiceRef:
      external: https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/backendServices/test-backendservice

[themanifold]

@kibbles-n-bytes OK, thanks for that specific example.

Are there plans for documenting all the cases you support? I just thought there might be. It seems like you're saying that the pattern is something like:

spec:
  ...
  <api-resource>ref:
    external: <google_http_api_endpoint>

[kibbles-n-bytes]

Yeah, we plan to. Note that we have no particular format we accept as it's up to the underlying API whatever it accepts. Usually the selfLink (the HTTPS endpoint) is the standard, especially for referencing Compute resources. But cataloging these cases, or at least giving a recommendation per resource type, is definitely on our radar.

[themanifold]

Do you have an estimated time @kibbles-n-bytes for when your docs will be up to date?

[kibbles-n-bytes]

As of 1/23/2020 we added an "External references" section to our "Creating resource references" giving some guidance on its usage.

Since we have support for external references and some general documentation, I'm going to close this issue out for the time being. Feel free to open another issue on the per-resource documentation and guidelines if that's still something you're interested in tracking closely.

[jcanseco]

Hi @themanifold

We updated our docs for external references recently with information on how to use external for each resource. Hopefully these doc updates will make external easier to use.