Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

replication.auto unknown field - means that we cannot create SecretManagerSecret with auto replication and customer managed encryption key #1124

Open
3 tasks done
WTPascoe opened this issue Jan 15, 2024 · 4 comments
Open
3 tasks done

replication.auto unknown field - means that we cannot create SecretManagerSecret with auto replication and customer managed encryption key #1124

WTPascoe opened this issue Jan 15, 2024 · 4 comments
Labels
bug Something isn't working

Comments

@WTPascoe
Copy link

Checklist

Bug Description

Attempting to apply a SecretManagerSecret yaml definition with replication.auto.customerManagedEncryption fails with the following error:

Error from server (BadRequest): error when creating "secret.yaml": SecretManagerSecret in version "v1beta1" cannot be handled as a SecretManagerSecret: strict decoding error: unknown field "spec.replication.auto"

The SecretManagerSecret docs imply that this is the correct setting.

Screenshot 2024-01-15 at 13 56 27

Additional Diagnostic Information

This looks similar to #1081 but the conversation there implies that this is likely related to the terraform component. I believe that my issue is different because the resource cannot be created in EKS at all.

Creating SecretManagerSecret with replication set to userManaged allows us to set CMEK values as expected.

I've replicated this on an existing cluster and a new cluster created on Friday 12 January.

Kubernetes Cluster Version

Server Version: v1.28.4-gke.1083000

Config Connector Version

1.102.0

Config Connector Mode

cluster mode

Log Output

No response

Steps to reproduce the issue

  1. Create KMS keyring - choose 'Multi-region' and select 'global' as the multi-region value
  2. Create a software key in the keyring
  3. attempt to create a secretmanagersecret resource using the yaml snippet

YAML snippets

apiVersion: secretmanager.cnrm.cloud.google.com/v1beta1
kind: SecretManagerSecret
metadata:
  name: my-secret
  namespace: backend
  annotations:
    cnrm.cloud.google.com/project-id: my_gcp_project_id
spec:
  replication:
    auto:
      customerManagedEncryption:
      kmsKeyRef:
        external: projects/my_gcp_project_id/locations/global/keyRings/my_keyring/cryptoKeys/my_key
@WTPascoe WTPascoe added the bug Something isn't working label Jan 15, 2024
@WTPascoe WTPascoe changed the title replication.auto unknown field - means that ew cannot create SecretManagerSecret with auto replication and customer managed encryption key replication.auto unknown field - means that we cannot create SecretManagerSecret with auto replication and customer managed encryption key Jan 15, 2024
@diviner524
Copy link
Collaborator

The reference document [1] is based on the latest version of Config Connector.

spec.replication.auto is not supported in 1.102.0. [2]. Could you install the latest version and see if it works?

[1] https://cloud.google.com/config-connector/docs/reference/overview

[2] https://github.com/GoogleCloudPlatform/k8s-config-connector/blob/v1.102.0/crds/secretmanager_v1beta1_secretmanagersecret.yaml

@WTPascoe
Copy link
Author

Could you install the latest version and see if it works?

I'll need a little time to work out how to do that. We deploy clusters using terraform terraform-google-modules/kubernetes-engine/google//modules/safer-cluster-update-variant 29.0.0 and I don't see anything in those docs about specifying a config_connector version.

I'll update after I work that out, but any tips would be appreciated thanks.

@diviner524
Copy link
Collaborator

Are you able to share the terraform config snippet related to Config Connector?

It is likely you are installing config connector in a GKE cluster through GKE Add-on. If that's the case, you may need to switch to a different installation method to get a more recent version of Config Connector.

https://cloud.google.com/config-connector/docs/concepts/installation-types

@WTPascoe
Copy link
Author

WTPascoe commented Jan 16, 2024
edited
Loading

Switching to a manually managed later version resolves this issue, but poses some troubling questions about managing this in GKE.

It looks like config connector version is tightly coupled to gke version according to https://cloud.google.com/config-connector/docs/how-to/install-manually#switch-add-on and there is no way to upgrade without uninstalling first.

When installed as an add-on, the version of Config Connector is directly tied to the GKE version that is installed.

It also says

The version of Config Connector installed through Config Connector add-on can be significantly behind by up to 12 months if you are not always using the latest GKE minor version.

However, in a cluster running 1.28.4-gke.1083000 whichis the current latest version available on the rapid channel, we still only see config connector version 1.102.0. This is quite a lag between documentation and what's being actively deployed. We would prefer to avoid the overhead of having to manage this separately to the rest of our GKE cluster.

Is there a way to find the release schedule for this and what GKE versions wil bring new config connector versions?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@diviner524 @WTPascoe