Cluster on container.gcp.upbound.io/v1beta1 set a "release channel" by default

[AaronME]

What happened?

Creating a Cluster without releaseChannel defaults to "REGULAR", causing an error on NodePool creation.

apiVersion: container.gcp.upbound.io/v1beta1
kind: Cluster
metadata:
  annotations:
    crossplane.io/external-create-pending: "2023-06-23T20:22:06Z"
    crossplane.io/external-create-succeeded: "2023-06-23T20:22:07Z"
    crossplane.io/external-name: test-cluster
    upjet.crossplane.io/provider-meta: '{"e2bfb730-ecaa-11e6-8f88-34363bc7c4c0":{"create":2400000000000,"delete":2400000000000,"read":2400000000000,"update":3600000000000},"schema_version":"1"}'
  creationTimestamp: "2023-06-23T20:20:10Z"
  finalizers:
  - finalizer.managedresource.crossplane.io
  generation: 3
  name: test-cluster
  resourceVersion: "5206"
  uid: a0515e85-14d2-4729-8869-b4edc569c65f
spec:
  deletionPolicy: Delete
  forProvider:
    addonsConfig:
    - networkPolicyConfig:
      - disabled: false
    binaryAuthorization:
    - {}
    clusterAutoscaling:
    - enabled: false
    databaseEncryption:
    - state: DECRYPTED
    defaultMaxPodsPerNode: 110
    defaultSnatStatus:
    - disabled: false
    enableIntranodeVisibility: false
    enableLegacyAbac: false
    initialNodeCount: 1
    ipAllocationPolicy:
    - clusterSecondaryRangeName: secondary-pods
      servicesSecondaryRangeName: secondary-services
    location: us-east1
    loggingConfig:
    - enableComponents:
      - SYSTEM_COMPONENTS
      - WORKLOADS
    loggingService: logging.googleapis.com/kubernetes
    masterAuth:
    - clientCertificateConfig:
      - issueClientCertificate: false
    masterAuthorizedNetworksConfig:
    - cidrBlocks:
      - cidrBlock: XXX.XXX.XXX.XXX/XX
        displayName: jump-test
    minMasterVersion: 1.27.2-gke.1200
    monitoringConfig:
    - enableComponents:
      - SYSTEM_COMPONENTS
      managedPrometheus:
      - enabled: true
    monitoringService: monitoring.googleapis.com/kubernetes
    network: XXXXXXXXXXXXXX
    networkPolicy:
    - enabled: true
      provider: CALICO
    networkRef:
      name: test
    networkingMode: VPC_NATIVE
    nodeLocations:
    - us-east1-a
    - us-east1-b
    - us-east1-c
    nodePoolDefaults:
    - nodeConfigDefaults:
      - loggingVariant: DEFAULT
    notificationConfig:
    - pubsub:
      - enabled: false
    privateClusterConfig:
    - enablePrivateEndpoint: true
      enablePrivateNodes: true
      masterGlobalAccessConfig:
      - enabled: true
      masterIpv4CidrBlock: XXX.XXX.XXX.XXX/XX
    project: XXXXXXXXXXXXXX
    releaseChannel:
    - channel: REGULAR
    removeDefaultNodePool: true
    serviceExternalIpsConfig:
    - enabled: false
    subnetwork: XXXXXXXXXXXXXX
    subnetworkRef:
      name: test
    verticalPodAutoscaling:
    - enabled: false
  managementPolicy: FullControl
  providerConfigRef:
    name: default
  writeConnectionSecretToRef:
    name: test-cluster
    namespace: default
status:
...

The docs indicate this field is not required, but do not mention that it will default to REGULAR if not supplied.

The introduction of this field results in this error when creating a nodepool with autoUpgrade set to false:

apply failed: error creating NodePool: googleapi: Error 400: Auto_upgrade must be true when release_channel REGULAR is set.

How can we reproduce it?

I applied the following MR:

apiVersion: container.gcp.upbound.io/v1beta1
kind: Cluster
metadata:
  name: test-cluster
spec:
  forProvider:
    addonsConfig:
    - networkPolicyConfig:
      - disabled: false
    clusterAutoscaling:
    - enabled: false
    databaseEncryption:
    - state: DECRYPTED
    defaultMaxPodsPerNode: 110
    enableIntranodeVisibility: false
    enableLegacyAbac: false
    initialNodeCount: 1
    ipAllocationPolicy:
    - clusterSecondaryRangeName: secondary-pods
      servicesSecondaryRangeName: secondary-services
    location: us-west1
    loggingService: logging.googleapis.com/kubernetes
    masterAuthorizedNetworksConfig:
    - cidrBlocks:
      - cidrBlock: XXX.XXX.XXX.XXX/XX
        displayName: jump-test
    minMasterVersion: 1.27.2-gke.1200
    monitoringService: monitoring.googleapis.com/kubernetes
    networkPolicy:
    - enabled: true
      provider: CALICO
    networkRef:
      name: test
    privateClusterConfig:
    - enablePrivateEndpoint: true
      enablePrivateNodes: true
      masterGlobalAccessConfig:
      - enabled: true
      masterIpv4CidrBlock: XXX.XXX.XXX.XXX/XX
    removeDefaultNodePool: true
    subnetworkRef:
      name: test
    verticalPodAutoscaling:
    - enabled: false
  providerConfigRef:
    name: default
  writeConnectionSecretToRef:
    name: test-cluster
    namespace: default

What environment did it happen in?

• Crossplane Version: 1.12.1-up.2
• Provider Version: xpkg.upbound.io/upbound/provider-gcp-container:v0.33.1
• Kubernetes Version: v1.26.1
• Kubernetes Distribution: Not known.

[turkenf]

Hi @AaronME,

Thank you for rasing this issue. The issue can be reproduced with the following example:

apiVersion: container.gcp.upbound.io/v1beta1
kind: NodePool
metadata:
  annotations:
    meta.upbound.io/example-id: container/v1beta1/nodepool
  labels:
    testing.upbound.io/example-name: nodepool
  name: nodepool
spec:
  forProvider:
    clusterSelector:
      matchLabels:
        testing.upbound.io/example-name: nodepool
    nodeConfig:
    - machineType: e2-medium
      oauthScopes:
      - https://www.googleapis.com/auth/cloud-platform
      preemptible: true
      serviceAccountSelector:
        matchLabels:
          testing.upbound.io/example-name: nodepool
    nodeCount: 1
    management: 
      - autoUpgrade: false
---
apiVersion: container.gcp.upbound.io/v1beta1
kind: Cluster
metadata:
  annotations:
    meta.upbound.io/example-id: container/v1beta1/cluster
  labels:
    testing.upbound.io/example-name: nodepool
  name: nodepool
spec:
  forProvider:
    initialNodeCount: 1
    location: us-central1-a
    removeDefaultNodePool: true
---
apiVersion: cloudplatform.gcp.upbound.io/v1beta1
kind: ServiceAccount
metadata:
  annotations:
    meta.upbound.io/example-id: container/v1beta1/nodepool
  labels:
    testing.upbound.io/example-name: nodepool
  name: nodepool
spec:
  forProvider:
    displayName: Service Account for GKE Cluster

Got the same error:

  - lastTransitionTime: "2023-07-06T12:13:01Z"
    message: "apply failed: error creating NodePool: googleapi: Error 400: Auto_upgrade
      must be true when release_channel REGULAR is set.\nDetails:\n[\n  {\n    \"@type\":
      \"type.googleapis.com/google.rpc.RequestInfo\",\n    \"requestId\": \"0x7c951e9de63b1dba\"\n
      \ }\n]\n, badRequest: "

[AaronME]

@turkenf We are seeing several other late-initialized fields which are preventing successful observe:

cannot run refresh: refresh failed: Missing required argument: The argument "disabled" is required, but no definition was found.  
cannot run refresh: refresh failed: Missing required argument: The argument "issue_client_certificate" is required, but no definition was found.
cannot run refresh: refresh failed: Missing required argument: The argument "enabled" is required, but no definition was found.
...

Just one example, the block masterAuth is being late-initialized, but it does not contain the requir3ed field issue_client_certificate. I suspect this is caused by the same mechanism which is setting the releaseChannel.

[turkenf]

@AaronME Which version are you using, it looks similar to this issue. It should have been resolved in v0.36.0.

[AaronME]

Working on 0.35.1. Will update.

[roldyxoriginal]

Hello everyone, is there any news about this issue? I am experiencing the same problem with: provider-gcp-container True True xpkg.upbound.io/upbound/provider-gcp-container:v0.41.0 Error 400: Auto_upgrade must be true when release_channel STABLE is set. Thank you.

[turkenf]

Hi @roldyxoriginal,

I am closing this issue for now, please upgrade your provider to the latest version and open a new issue from here if the issue recurs.

Thank you!