Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SecretManagerSecret uses namespace as gcp project id unless annotation cnrm.cloud.google.com/project-id is set #1734

Open
3 tasks done
Isakdl opened this issue May 8, 2024 · 1 comment
Open
3 tasks done

SecretManagerSecret uses namespace as gcp project id unless annotation cnrm.cloud.google.com/project-id is set #1734

Isakdl opened this issue May 8, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@Isakdl
Copy link

Isakdl commented May 8, 2024
edited

Checklist

Bug Description

The documented yaml specification does not work out of the box for SecretManagerSecret, seen here: https://cloud.google.com/config-connector/docs/reference/resource-docs/secretmanager/secretmanagersecret

The config connector is calling the api with the project id taken from the namespace field of the yaml file, instead of the actual GCP project id.

If the namespace field is left empty it takes the default namespace (default).

However if I add the annotation cnrm.cloud.google.com/project-id and set it to my project id the correct endpoint is called and my resource is created. As of now this field seems to be required to set for this resource to work, either there is information missing in the documentation or this is a bug in the implementation.

Additional Diagnostic Information

none

Kubernetes Cluster Version

1.29

Config Connector Version

1.115.0

Config Connector Mode

cluster mode

Log Output

"Update call failed: error fetching live state: error reading underlying resource: summary: Error when reading or editing SecretManagerSecret "projects/my-namespace/secrets/secret-name": googleapi: Error 403: Permission denied on resource project default.
Details:
[
  {
    "@type": "type.googleapis.com/google.rpc.Help",
    "links": [
      {
        "description": "Google developers console",
        "url": "https://console.developers.google.com"
      }
    ]
  },
  {
    "@type": "type.googleapis.com/google.rpc.ErrorInfo",
    "domain": "googleapis.com",
    "metadata": {
      "consumer": "projects/my-namespace",
      "service": "secretmanager.googleapis.com"
    },
    "reason": "CONSUMER_INVALID"
  }
]"

Steps to reproduce the issue

Apply the yaml file in the cluster without adding the annotation cnrm.cloud.google.com/project-id

YAML snippets

apiVersion: secretmanager.cnrm.cloud.google.com/v1beta1
kind: SecretManagerSecret
metadata:
  name: secret-name
  namespace: my-namespace
  labels:
    replication-type: automatic
spec:
  replication:
    automatic: true
@Isakdl Isakdl added the bug Something isn't working label May 8, 2024
@diviner524
Copy link
Collaborator

Unfortunately Config Connector needs to maintain this behavior for backward compatibility, as noted here:

https://cloud.google.com/config-connector/docs/how-to/organizing-resources/project-scoped-resources#using_the_namespace_name_as_the_project_id

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@diviner524 @Isakdl