SecretManagerSecret automatic replication no longer working

[sthomson-wyn]

Checklist

• I did not find a related open issue.
• I did not find a solution in the troubleshooting guide: (https://cloud.google.com/config-connector/docs/troubleshooting)
• If this issue is time-sensitive, I have submitted a corresponding issue with GCP support.

Bug Description

A SecretManagerSecret resource with .spec.replication.auto = {} yields

Update call failed: cannot make changes to immutable field(s): [Field Name: replication.0.auto.#, Got: 0, Wanted: 1];

Additional Diagnostic Information

Unclear if this happens on a brand new resource, but this is happening for an existing resource

Kubernetes Cluster Version

v1.27.4-gke.900

Config Connector Version

1.112.0

Config Connector Mode

cluster mode

Log Output

No response

Steps to reproduce the issue

Create yaml below, for an existing secret in GSM

YAML snippets

apiVersion: secretmanager.cnrm.cloud.google.com/v1beta1
kind: SecretManagerSecret
metadata:
  name: my-secret
  labels:
    dev-access : "false"
spec:
  resourceID: my_secret
  replication:
    auto: {}

[diviner524]

Have you tried removing the whole replication section and see if the resource can be acquired successfully?

automatic is a deprecated field and it might have been converted to auto in the underlying TF provider.

[sthomson-wyn]

Sorry, I meant to include the new non-deprecated field "auto" rather than "automatic". yaml update to reflect.

[diviner524]

@sthomson-wyn Are you able to determine the actual configurations of the existing resource? For example does the existing resource have replication.userManaged configured instead of replication.auto?

[sthomson-wyn]

gcloud secrets describe projects/<id>/secrets/my_secret

yielded

createTime: '2020-07-17T17:41:50.468650Z'
etag: '""'
labels:
  label: 'value'
name: projects/<id>/secrets/my_secret
replication:
  automatic: {}

[WTPascoe]

I have the same issue when attempting to create a new SecretManagerSecret using the following YAML

apiVersion: secretmanager.cnrm.cloud.google.com/v1beta1
kind: SecretManagerSecret
metadata:
  name: my-secret
  namespace: backend
  annotations:
    cnrm.cloud.google.com/project-id: my_gcp_project_id
spec:
  replication:
    auto:
      customerManagedEncryption:
      kmsKeyRef:
        external: projects/my_gcp_project_id/locations/global/keyRings/my_keyring/cryptoKeys/my_key

Attempting to apply fails with Error from server (BadRequest): error when creating "secret.yaml": SecretManagerSecret in version "v1beta1" cannot be handled as a SecretManagerSecret: strict decoding error: unknown field "spec.replication.auto"

The SecretManagerSecret docs states that replication.auto.customerManagedEncryption should be valid.

I can repro this on a new cluster built on Friday last week using a cnrm image gcr.io/gke-release/cnrm/controller:fc8237b