Closed dinvlad closed 1 year ago
@dinvlad Thanks for the report and sorry for the delay.
Did you notice this gkeMemberships
in the URI as a response from gkehub
API or within the kubeconfig generated via gcloud container fleet memberships get-credentials
? From your snippet for k config view | head -4
it seemed like it was still using the https://connectgateway.googleapis.com/.../memberships/<MEMBERSHIP>
format. I tried a repro and this is what my kubeconfig also looked like.
I did look at the blog post and some other docs and from which it seemed like both gkeMemberships
and memberships
are supported. The distinction per docs seemed to be based on the way you register the cluster. I will try following up with the service owner for clarity and next steps.
TL;DR
Some recent clusters and/or Connect Gateway API seem to be using a slightly different format for their endpoint:
(note
gkeMemberships
here instead of justmemberships
).Connections using the older format don't seem to work, and I'd like to add support for that.
Detailed design
My proposed design for backwards compatibility is to just allow both formats with a non-capturing group in the
membershipResourceNamePattern
regex:Alternatively, if the new format is the new "default" for the Connect Gateway API, we should adjust the action to use only that instead of
memberships
(but I'm curious to hear your thoughts, since I don't have an inside view).The current regex makes it impossible to override the new endpoints using
fleet_membership_name
. And when the old format is used, the connection just hangs for a little and then returnsthe server doesn't have a resource type <X>
for any request when using this Action.I've tested this locally with the same Workload Identity Service Account, and only the endpoint with
gkeMemberships
works:When using
gcloud container fleet memberships get-credentials
locally, it also stores the URL in the new format (which is how I was able to discover it) - e.g.Curiously, the fleet membership API also returns the URL is the old format, so I'm not sure how
gcloud
is able to infergkeMemberships
from that (but assuming there's some business logic for that):Additional information
I've only found reference to
gkeMemberships
in a very recent Google Cloud blog post, so I'm assuming this change is quite new, but it seems to be breaking. It appears not to a public API yet, hence such changes are expected, but the Action needs to be adjusted as well.