• Special shout-outs to acpana@, anhdle-sso@, cheftako@, gemmahou@, googlyrahman@, jingyih@, justinsb@, maqiuyujoyce@, SotaSato-stst@, xiaoweim@, yuwenma@ for their contributions to this release.

Reconciliation Improvements

• SpannerInstance
  • You can opt-in the direct controller by adding the
    alpha.cnrm.cloud.google.com/reconciler: direct annotation to the
    SpannerInstance resource.
  • Direct controller is opt-in if using the following fields:
    • spec.labels
    • spec.defaultBackupScheduleType
    • spec.edition
    • spec.autoscalingConfig

• Special shout-outs to acpana@, anhdle-sso@, barney-s@, cheftako@, djyau@, fqbright@, gemmahou@, googlyrahman@, jingyih@, justinsb@, maqiuyujoyce@, xiaoweim@, yuwenma@ for their contributions to this release.

New Beta Resources (Direct Reconciler):

• SpeechCustomClass
• SpeechPhraseSet
• SpeechRecognizer
• VertexAINotebooksInstance
• VertexAIMetadataStore

New Alpha Resources (Direct Reconciler):

• OrgPolicyPolicy
• OrgPolicyCustomConstraint
• SpeechRecognizer
• StorageAnywhereCache

New Fields:

• SpannerInstance
  For opt-in direct controller,
  • Added spec.labels field.
  • Added spec.defaultBackupScheduleType field.
• SecretManagerSecret
  For opt-in direct controller,
  • Added spec.labels field.

New features:

• Storage Bucket
  • Removed immutability constraint on spec.location and spec.customPlacementConfig.dataLocations fields. Follow the guide to relocate the bucket.

Reconciliation Improvements:

• BigtableAppProfile
  • You can opt-in the direct controller by adding the alpha.cnrm.cloud.google.com/reconciler: direct annotation to the BigtableAppProfile resource.
  • Added support for spec.dataBoostIsolationReadOnly field for resources reconciled by the direct controller.
• CloudIdentityGroup
  and
  CloudIdentityMembership
  • You can opt-in the direct controller by adding the alpha.cnrm.cloud.google.com/reconciler: direct annotation to the CloudIdentityGroup and CloudIdentityMembership resources.
  • With direct reconciliation, creating new resources will no longer write back the service-generated ID to spec.resourceID. To acquire a resource, you can find its resourceID from the last part of status.externalRef field, or via gcloud command or Cloud Console. The spec.resourceID field is used for acquisition only, leave the field unset when creating a new resource.

• Special shout-outs to iq@, 600lyy@, acpana@, anhdle-sso@, cheftako@, gemmahou@, jingyih@, justinsb@, maqiuyujoyce@, xiaoweim@ for their contributions to this release.

New Beta Resources (Direct Reconciler):

• IAPSettings

New Alpha Resources (Direct Reconciler):

• ComputeNetworkAttachment
• ComputeNetworkEdgeSecurityService
• DataplexEntryGroup
• DataplexEntryType
• DataplexTask
• DataplexZone
• DatastreamRoute
• DocumentAIVersion
• GKEBackupBackup
• GKEBackupRestore
• PubSubSnapshot
• SpeechCustomClass
• VMwareEngineExternalAddress
• MetastoreService
• MetastoreFederation
• MetastoreBackup
• APIQuotaPreference
• APIQuotaAdjusterSettings
• EventarcGoogleChannelConfig
• EventarcChannel
• AssetSavedQuery
• AssetFeed
• EssentialContactsContact
• DataCatalogEntryGroup
• DataCatalogEntry
• DataCatalogTagTemplate
• DataCatalogTag

Bug Fixes:

• Fixed excessive compute.firewallPolicies.patchRule Logs triggered by Config Connector direct reconciliation.

• Special shout-outs to acpana@, anhdle-sso@, barney-s@, cheftako@, ericpang777@, gemmahou@, jasonvigil@, jingyih@, justinsb@, maqiuyujoyce@, renovate-bot@, xiaoweim@, yufan-su@, yuwenma@ for their contributions to this release.

New Beta Resources (Direct Reconciler):

• ApigeeEndpointAttachment

• ApigeeEnvgroupAttachment

• ApigeeInstanceAttachment

• ManagedKafkaTopic

• SecureSourceManagerInstance

• SecureSourceManagerRepository

New Alpha Resources (Direct Reconciler):

• ApphubApplication
• BackupDRManagementServer
• BackupDRBackupVault
• BackupDRBackupPlan
• BackupDRBackupPlanAssociation
• BatchJob
• BigLakeTable
• BigQueryReservation
• CodeDeployDeliveryPipeline
• DataplexLake
• DatastreamPrivateConnection
• DatastreamConnectionProfile
• DocumentAIProcessor
• GKEBackupBackupPlan
• GKEBackupRestorePlan
• NetAppBackupPolicy
• NotebooksEnvironment
• SpannerInstanceConfig
• VertexAIFeaturestore
• VMwareEnginePrivateCloud
• VMwareEngineNetwork
• VMwareEngineNetworkPeering
• VMwareEngineNetworkPolicy
• WorkflowExecution

New Fields

• GKEHubFeatureMembership

  • Added spec.configmanagement.configSync.stopSyncing field since 1.129.

• SpannerInstance.

  • Added spec.defaultBackupScheduleType field.
  • Added spec.labels field

Reconciliation Improvements

We have added support for direct reconciliation to more resources, with opt-in behaviour. The API is backward compatible. To use the direct reconciler, add the alpha.cnrm.cloud.google.com/reconciler: direct annotation to the corresponding Config Connector object. The following resources now have direct reconciliation support (and we list some of the issues that this fixes):

• SpannerInstance
  • You can use spec.edition field to optimize your enterprise edition type
  • You can use spec.autoscalingConfig to automate the scaling instead of manually configure spec.processingUnit or spec. numNodes.
  • You can use the defaultBackupScheduleType now.
  • Behavior Change If you use the SpannerInstance Kubernetes metadata.labels to configure your GCP labels, please change them to use the spec.labels field instead. See #4274

• Special shout-outs to acpana@, anhdle-sso@, barney-s@, cheftako@, ericpang777@, gemmahou@, jasonvigil@, jingyih@, justinsb@, maqiuyujoyce@, xiaoweim@, yuwenma@ for their contributions to this release.

WARNING: Do NOT install v1.129 if you are managing any pure direct resources (see #3830 for more context). Here is the list of the pure direct resources in v1.129:

• BigQueryAnalyticsHubDataExchange
• BigQueryAnalyticsHubListing
• BigQueryConnectionConnection
• BigQueryDataTransferConfig
• CloudBuildWorkerPool
• DataformRepository
• FirestoreDatabase
• KMSAutokeyConfig
• KMSKeyHandle
• NetworkConnectivityServiceConnectionPolicy
• PrivilegedAccessManagerEntitlement
• RedisCluster
• SecureSourceManagerInstance
• SecureSourceManagerRepository
• Workstation
• WorkstationCluster
• WorkstationConfig

New Beta Resources (Direct Reconciler):

• ManagedKafkaCluster

• ApigeeInstance

New Alpha Resources (Direct Reconciler):

• ManagedKafkaTopic
• ApigeeInstanceAttachment
• ApigeeEnvgroupAttachment
• ApigeeEndpointAttachment

Reconciliation Improvements

• SQLInstance

  • All SQLInstance types are now reconciled using the new direct controller (instead of the legacy Terraform-based controller). The previous "opt-in" annotation (documented here) no longer applies. Users no longer need to apply the "opt-in" annotation to SQLInstance resources to enable the direct controller. Regardless of the presence (or absence) of an opt-in annotation on SQLInstance resources, the direct reconciler will be used.
  • This change enables all SQLInstance resources to switch from edition ENTERPRISE -> ENTERPRISE_PLUS and fixes this bug.

• Special shout-outs to @600lyy, @acpana, @anhdle-sso, @barney-s, @Camila-B, @cheftako, @ericpang777, @gemmahou, @haiyanmeng, @jasonvigil, @jingyih, @justinsb, @maqiuyujoyce, @nb-goog, @tarynlucas, @xiaoweim, @yuwenma, @ziyue-101 for their contributions to this release.

Announcement

• ComputeFirewallPolicyRule is switched to the direct approach by default. Previously this direct approach is introduced as a opt-in since release 1.125.

New Beta Resources (Direct Reconciler):

• ApigeeEnvgroup

  • Define environment groups to specify the hostnames for routing traffic to Apigee environments.

• KMSAutokeyConfig

  • Manage the KMS auto key which simplifies the CMEKs provisioning and assignment.

New Alpha Resources (Direct Reconciler):

• IAPSettings

  • Customize the Identity-Aware Proxy (IAP) settings for applications and services running on Google Cloud Platform.

• SecureSourceManangerInstance

• SecureSourceManangerRepository

New Fields:

• SpannerInstance

  • You need to use the alpha.cnrm.cloud.google.com/reconciler: direct annotation on SpannerInstance resource to opt-in these features.

    • spec.autoscalingConfig
    • spec.edition

Reconciliation Improvements

We have added support for direct reconciliation to more resources, with opt-in behaviour. The API is unchanged. To use the direct reconciler, add the alpha.cnrm.cloud.google.com/reconciler: direct annotation to the corresponding Config Connector object. The following resources now have direct reconciliation support (and we list some of the issues that this fixes):

• AlloyDBInstance

• SpannerInstance

Bug Fixes:

• Fixed the incorrect format validation for the following fields in resource DataformRepository.

  • spec.gitRemoteSettings.authenticationTokenSecretVersionRef
  • spec.gitRemoteSettings.sshAuthenticationConfig.userPrivateKeySecretVersionRef
  • spec.npmrcEnvironmentVariablesSecretVersionRef

• Special shout-outs to @acpana, @anhdle-sso, @cheftako, @ericpang777, @gemmahou, @haiyanmeng, @jasonvigil, @jingyih, @justinsb, @maqiuyujoyce, @nb-goog, @xiaoweim, @yuwenma, @ziyue-101 for their contributions to this release.

Announcement

New Beta Resources (Direct Reconciler):

• BigQueryAnalyticsHubListing

• FirestoreDatabase

• WorkstationConfig

• Workstation

New Fields:

• BigQueryDataTransferConfig

  • Added spec.scheduleOptionsV2 to customize the different types of data transfer schedule.
  • Added status.observedState.error with detailed information about reason of the latest config failure.

• GKEHubFeatureMembership

  • Added spec.configmanagement.management to enable Config Sync Auto Upgrade. This is an opt-in feature and you need to turn on the alpha.cnrm.cloud.google.com/reconciler: direct annotation on the object.

Modified Beta Reconciliation

We added the direct controller support for the following 3 resources to enhance the reliability and performance. Add alpha.cnrm.cloud.google.com/reconciler: direct annotation on the object to use the direct controller. CRD is backward compatible.

• GKEHubFeatureMembership

  • Added Config Sync Auto-Upgrade support.

• SecretManagerSecret

  • #510 Enhanced spec.rotation.nextRotationTime to use a fixed datetime value to avoid relative now() friction.
  • #1081 Fixed the spec.replication.auto immutable issue
  • #3051 Fixed the spec.rotation.rotationPeriod immutable issue
  • Added the in-use version aliases in status.observedState.versionAliases
  • Resolved update stalling issues.
  • Clarify the TTL use. See the problems and share your use in #3395

• SecretManagerSecretVersion

  • Resolved update stalling caused by DependencyNotReady errors.
  • Fixed the friction in spec.enabled that enabling/disabling a secret version does not always take effect in GCP.
  • API Behavior Change The service generated ID is changed from spec.resourceID to status.version with status.externalRef (new field) to guardrail the identity. See the rational behind and share your feedback in #3445

Fixes

• Dataflowflextemplatejob subnetwork validation error. Error message should match regions/REGION/subnetworks/SUBNETWORK

• Special shout-outs to @acpana, @Camila-B, @cheftako, @ericpang777, @gemmahou, @himanikh, @jasonvigil, @jingyih, @jsoref, @justinsb, @maqiuyujoyce, @nb-goog, @xiaoweim, @yuwenma, @ziyue-101 for their contributions to this release.

Announcement

• Config Connector system management CRDs ControllerReconciler and NamespacedControllerReconciler are promoted to Beta. See how to configure the Controller manager rate limit.

New Beta Resources (Direct Reconciler):

• BigQueryTransferConfig

  • Manage the metadata needed to perform a Big Query data transfer.

• KMSKeyHandle

  • Manage the provisioning of a CryptoKey.

New Fields:

• IAMPolicyMember

  • Use Service Account from BigQueryConnectionConnection via spec.memberFrom.bigQueryConnectionConnectionRef. See example on IAMPolicyMember use BigqueryConectionConnection "cloudSQL"

• IAMPartialPolicy

  • Use Service Account from BigQueryConnectionConnection via spec.memberFrom.bigQueryConnectionConnectionRef.

New Alpha Resources (Direct Reconciler):

• Add new resource WorkstationConfig

• Special shout-outs to @600lyy, @acpana, @anhdle-sso, @cheftako, @ericpang777, @gemmahou, @hankfreund, @jasonvigil, @jingyih, @justinsb, @maqiuyujoyce, @nb-goog, @svetakvsundhar, @xiaoweim, @yuwenma, @zicongmei, @ziyue-101 for their contributions to this release.

New Beta Resources (Direct Reconciler):

• BigQueryConnectionConnection

  • Manage connections to connect to Google services and external data sources

• BigQueryAnalyticsHubDataExchange

  • Manage data exchange to enable self-service data sharing

• PrivilegedAccessManagerEntitlement

  • Manage entitlements to grant for projects, folders, and organizations

• WorkstationCluster

  • Manage workstation cluster to define a group of workstations in a particular region and the VPC network they're attached to.

New Alpha Resources (Direct Reconciler):

• KMSAutokeyConfig

  • Manage the KMS auto key which simplifies the CMEKs provisioning and assignment.

New Fields:

• AlloyDBInstance (Beta)
  • Added spec.networkConfig.enableOutboundPublicIp field.
  • Added status.outboundPublicIpAddresses field.

Reconciliation Improvements

We've enhanced the following resources with a new direct controller, boosting their reliability and performance. While they'll continue to function with their existing Terraform-based or DCL-based controllers by default, the direct controller offers significant improvements. Notably, this enhancement doesn't require any changes to the resource CRD.

• SQLInstance

  • You can use the alpha.cnrm.cloud.google.com/reconciler: direct annotation on the SQLInstance CR object to opt-in the direct controller.
  • The direct reconciler contains 2 fix and improvement:
    • Fix the upgrade and downgrade issue between ENTERPRISE and ENTERPRISE_PLUS.
    • Supports "creating from clone" via spec.cloneSource

• ComputeFirewallPolicyRule

  • You can use the alpha.cnrm.cloud.google.com/reconciler: direct annotation on the ComputeFirewallPolicyRule CR object to opt-in the direct controller, which fixes the targetResources error required value "priority" could not be found.

New features:

• Add cluster mode to manage the rate-limit for the Config Connector requests

  • In v1.119, we added rate-limit control in namespace mode. Users can configure the NamespacedControllerReconciler object (Alpha) to set the rate-limit for the reconciling requests to the kube-apiserver for their Config Connector resources.
  • In this release, we add this feature for cluster mode. User can configure the ControllerReconciler object (Alpha) to set the rate-limit for all their cnrm manager controllers in the cluster. This example shows how to set up the configuration.

Bug Fixes:

• Issue 3007 ComputeBackendService cannot refer clientTLSPolicy due to invalid format
• Issue 2973 kubelet_config has insecure_kubelet_readonly_port_enabled: true set even if not configured in the ContainerNodePool object.
• Issue 3140 BigQueryConnectionConnection requires UUID to acquire the resource.

v1.124.0

• Special shout-outs to @600lyy, @acpana, @anhdle-sso, @benjamin-maynard, @cheftako, @gemmahou, @hankfreund, @jasonvigil, @jingyih, @justinsb, @maqiuyujoyce, @nancynh, @svetakvsundhar, @xiaoweim, @yuwenma for their contributions to this release.

Announcement

Simplified and More Reliable Resource Development

• We launched a major improvement to the Config Connector resource development! Our new approach significantly enhances reliability and provides a more native Kubernetes experience. Learn more in our guide

New Beta Resources (Direct Reconciler):

• RedisCluster

New Fields:

• CertificateManagerDNSAuthorization

  • Added spec.Location field.

• ComputeForwardingRule

  • Added spec.target.googleApisBundle field (allowed values all-apis or vpc-sc). Note, when configured this field, you are using the new Direct reconciliation.

Resources moved to direct reconciliation

We migrated the following reconciliation from the TF-based or DCL-based controller to the new Direct controller to enhance the reliability and performance. The resource CRD is unchanged.

• CertificateManagerDNSAuthorization

New Alpha Resources (Direct Reconciler):

• PrivilegedAccessManagerEntitlement
• BigQueryAnalyticsHubDataExchange