GKEHubFeatureMemebership direct actuation checklist

[ziyue-101]

Checklist

• I did not find a related open enhancement request.
• I understand that enhancement requests filed in the GitHub repository are by default low priority.
• If this request is time-sensitive, I have submitted a corresponding issue with GCP support.

Describe the feature or resource

Checklist for GKEHubFeatureMembership direct actuation. There may be some overlap on items. Not all of these will necessarily be applicable.

Checklist for existing resources

Code & Reconcilliaiton

• Review directbase_controller for todos
• Audit mapping logic - e.g. fields should have a if foo != nil check
• Verify that mutable-but-unreadable fields don't cause (infinite) diffs
• Verify that any custom diffs from the DCL controller are reflected in the direct path mtestOK?

KCC System

• Double check that the user agent is set as Kcc/controller-manager (consistent with other controllers) in order for usage telemetry to work

CRD

• make sure the CRD is backwards compatible

Special Labels/ Directives support

• check that the "special" directives here continue to be supported

General Labels/ Directives support

As taken from: https://github.com/maqiuyujoyce/k8s-config-connector/blob/master/pkg/k8s/constants.go

• mutable-but-unreadable-fields
• observed-secret-versions
• supports-ssa
• blueprint
• management-conflict-prevention-policy
• deletion-policy
• reconcile-interval-in-seconds

Container Annotations

• project-id
• folder-id
• organization-id

Functional

• pause via CC, CCC or annotations works
• unmanaging works mtest?
• acquisition of resource works covered by base?
• abandon on delete works
• cascading deletes

References

• Check that references in work
• Check that references out work
• Check that IAM references work

Immutability

• check that fields that were immutable before, continue to be immutable

Webhooks

• check the deletion defender still works
• check that the immutability webhook still works

Testing

• Create tests for any "difficult" scenarios
• Create tests
  • Field testing
    • Field set, unmanage and unset

Additional information

No response

Importance

No response

[ziyue-101]

$ KCC_USE_DIRECT_RECONCILERS=GKEHubFeatureMembership ARTIFACTS=1  E2E_KUBE_TARGET=envtest RUN_E2E=1 E2E_GCP_TARGET=real go test -test.count=1 -timeout 1800s -v ./tests/e2e -run TestAll -run  'TestAllInSeries/fixtures/gkehubfeaturemembership' | tee log
-------redacted--------
--- PASS: TestAllInSeries (736.02s)
    --- PASS: TestAllInSeries/fixtures (736.02s)
        --- PASS: TestAllInSeries/fixtures/gkehubfeaturemembership (735.88s)
PASS
ok  	github.com/GoogleCloudPlatform/k8s-config-connector/tests/e2e	736.259s

[ziyue-101]

mutable-but-unreadable-fields
Applied a resource to a dev cluster, the resource doesn't have mutable-but-unreadable-fields

$ k apply -f temp.yaml
gkehubfeaturemembership.gkehub.cnrm.cloud.google.com/gkehubfeaturemembership-sample created
containercluster.container.cnrm.cloud.google.com/gkehubfeaturemembership-dep-acm created
gkehubfeature.gkehub.cnrm.cloud.google.com/gkehubfeaturemembership-dep-acm created
gkehubmembership.gkehub.cnrm.cloud.google.com/gkehubfeaturemembership-dep-acm created
service.serviceusage.cnrm.cloud.google.com/gkehubfeaturemembership-dep1-acm1 created
service.serviceusage.cnrm.cloud.google.com/gkehubfeaturemembership-dep2-acm created
service.serviceusage.cnrm.cloud.google.com/gkehubfeaturemembership-dep3-acm created
ziyue@kcc-dev:~/go/src/k8s-config-connector/pkg/test/resourcefixture/testdata/basic/gkehub/v1beta1$ k get gkehubfeaturemembership.gkehub.cnrm.cloud.google.com/gkehubfeaturemembership-sample
NAME                             AGE   READY   STATUS   STATUS AGE
gkehubfeaturemembership-sample   19s
ziyue@kcc-dev:~/go/src/k8s-config-connector/pkg/test/resourcefixture/testdata/basic/gkehub/v1beta1$ k get gkehubfeaturemembership.gkehub.cnrm.cloud.google.com/gkehubfeaturemembership-sample -oyaml
apiVersion: gkehub.cnrm.cloud.google.com/v1beta1
kind: GKEHubFeatureMembership
metadata:
  annotations:
    cnrm.cloud.google.com/management-conflict-prevention-policy: none
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"gkehub.cnrm.cloud.google.com/v1beta1","kind":"GKEHubFeatureMembership","metadata":{"annotations":{},"name":"gkehubfeaturemembership-sample","namespace":"default"},"spec":{"configmanagement":{"configSync":{"git":{"policyDir":"config-connector","secretType":"none","syncBranch":"master","syncRepo":"https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit","syncRev":"HEAD","syncWaitSecs":"20"},"sourceFormat":"unstructured"},"hierarchyController":{"enableHierarchicalResourceQuota":true,"enablePodTreeLabels":true,"enabled":true},"policyController":{"auditIntervalSeconds":"20","enabled":true,"exemptableNamespaces":["test-namespace"],"logDeniesEnabled":true,"referentialRulesEnabled":true,"templateLibraryInstalled":true}},"featureRef":{"name":"gkehubfeaturemembership-dep-acm"},"location":"global","membershipRef":{"name":"gkehubfeaturemembership-dep-acm"},"projectRef":{"external":"projects/cnrm-ziyue"}}}
  creationTimestamp: "2024-06-04T01:25:58Z"
  generation: 1
  managedFields:
  - apiVersion: gkehub.cnrm.cloud.google.com/v1beta1
    fieldsType: FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .: {}
          f:kubectl.kubernetes.io/last-applied-configuration: {}
      f:spec:
        .: {}
        f:configmanagement:
          .: {}
          f:configSync:
            .: {}
            f:git:
              .: {}
              f:policyDir: {}
              f:secretType: {}
              f:syncBranch: {}
              f:syncRepo: {}
              f:syncRev: {}
              f:syncWaitSecs: {}
            f:sourceFormat: {}
          f:hierarchyController:
            .: {}
            f:enableHierarchicalResourceQuota: {}
            f:enablePodTreeLabels: {}
            f:enabled: {}
          f:policyController:
            .: {}
            f:auditIntervalSeconds: {}
            f:enabled: {}
            f:exemptableNamespaces: {}
            f:logDeniesEnabled: {}
            f:referentialRulesEnabled: {}
            f:templateLibraryInstalled: {}
        f:featureRef:
          .: {}
          f:name: {}
        f:location: {}
        f:membershipRef:
          .: {}
          f:name: {}
        f:projectRef:
          .: {}
          f:external: {}
    manager: kubectl
    operation: Update
    time: "2024-06-04T01:25:58Z"
  name: gkehubfeaturemembership-sample
  namespace: default
  resourceVersion: "389770236"
  uid: dc7dafde-8610-44b8-b70f-bdc6a943c210
spec:
  configmanagement:
    configSync:
      git:
        policyDir: config-connector
        secretType: none
        syncBranch: master
        syncRepo: https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit
        syncRev: HEAD
        syncWaitSecs: "20"
      sourceFormat: unstructured
    hierarchyController:
      enableHierarchicalResourceQuota: true
      enablePodTreeLabels: true
      enabled: true
    policyController:
      auditIntervalSeconds: "20"
      enabled: true
      exemptableNamespaces:
      - test-namespace
      logDeniesEnabled: true
      referentialRulesEnabled: true
      templateLibraryInstalled: true
  featureRef:
    name: gkehubfeaturemembership-dep-acm
  location: global
  membershipRef:
    name: gkehubfeaturemembership-dep-acm
  projectRef:
    external: projects/cnrm-ziyue
    ```

[ziyue-101]

Verify that any custom diffs from the DCL controller are reflected in the direct path

The custom diff fields are HNC fields:
https://source.corp.google.com/piper///depot/google3/cloud/graphite/mmv2/services/google/gkehub/hub_utils.go;l=264;bpv=1;bpt=1

[ziyue-101]

make sure the CRD is backwards compatible
The CRD only changes description format in config/crds/resources/apiextensions.k8s.io_v1_customresourcedefinition_gkehubfeaturememberships.gkehub.cnrm.cloud.google.com.yaml. Thus, it should not break anything

[ziyue-101]

acquisition of resource works

The gkehubfeaturemembership resource only supports acquisition by name, which should be already handled by the base controller by doing a Find before Create

k8s-config-connector/pkg/controller/direct/directbase/directbase_controller.go

Line 305 in 5c145ea

existsAlready, err := adapter.Find(ctx)

[ziyue-101]

container annotations

the resource doesn't support container annotations

https://github.com/GoogleCloudPlatform/k8s-config-connector/blob/1b48ee4296b7409b75c4c0ec430fe97d0e0dad0b/pkg/dcl/metadata/metadata.go#L404C2-L406C42

[ziyue-101]

/cc @haiyanmeng

[ziyue-101]

check that the "special" directives here continue to be supported

with the state-into-spec: merge , no additional fields are merged into spec. Thus, the new controller will not need to need to write status into spec.

$ k get GKEHubFeatureMembership gkehubfeaturemembership-sample -oyaml
apiVersion: gkehub.cnrm.cloud.google.com/v1beta1
kind: GKEHubFeatureMembership
metadata:
  annotations:
    cnrm.cloud.google.com/management-conflict-prevention-policy: none
    cnrm.cloud.google.com/state-into-spec: merge
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"gkehub.cnrm.cloud.google.com/v1beta1","kind":"GKEHubFeatureMembership","metadata":{"annotations":{},"name":"gkehubfeaturemembership-sample","namespace":"default"},"spec":{"configmanagement":{"configSync":{"git":{"policyDir":"config-connector","secretType":"none","syncBranch":"master","syncRepo":"https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit","syncRev":"HEAD","syncWaitSecs":"20"},"sourceFormat":"unstructured"},"hierarchyController":{"enableHierarchicalResourceQuota":true,"enablePodTreeLabels":true,"enabled":true},"policyController":{"auditIntervalSeconds":"20","enabled":true,"exemptableNamespaces":["test-namespace"],"logDeniesEnabled":true,"referentialRulesEnabled":true,"templateLibraryInstalled":true}},"featureRef":{"name":"gkehubfeaturemembership-dep-acm"},"location":"global","membershipRef":{"name":"gkehubfeaturemembership-dep-acm"},"projectRef":{"external":"projects/cnrm-ziyue"}}}
  creationTimestamp: "2024-06-04T01:25:58Z"
  finalizers:
  - cnrm.cloud.google.com/finalizer
  - cnrm.cloud.google.com/deletion-defender
  generation: 2
  managedFields:
  - apiVersion: gkehub.cnrm.cloud.google.com/v1beta1
    fieldsType: FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .: {}
          f:kubectl.kubernetes.io/last-applied-configuration: {}
      f:spec:
        .: {}
        f:configmanagement:
          .: {}
          f:configSync:
            .: {}
            f:git:
              .: {}
              f:policyDir: {}
              f:secretType: {}
              f:syncBranch: {}
              f:syncRepo: {}
              f:syncRev: {}
              f:syncWaitSecs: {}
            f:sourceFormat: {}
          f:hierarchyController:
            .: {}
            f:enableHierarchicalResourceQuota: {}
            f:enablePodTreeLabels: {}
            f:enabled: {}
          f:policyController:
            .: {}
            f:auditIntervalSeconds: {}
            f:enabled: {}
            f:exemptableNamespaces: {}
            f:logDeniesEnabled: {}
            f:referentialRulesEnabled: {}
            f:templateLibraryInstalled: {}
        f:featureRef:
          .: {}
          f:name: {}
        f:location: {}
        f:membershipRef:
          .: {}
          f:name: {}
        f:projectRef:
          .: {}
          f:external: {}
    manager: kubectl
    operation: Update
    time: "2024-06-04T01:25:58Z"
  - apiVersion: gkehub.cnrm.cloud.google.com/v1beta1
    fieldsType: FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          f:cnrm.cloud.google.com/state-into-spec: {}
      f:spec:
        f:configmanagement:
          f:policyController:
            f:monitoring:
              .: {}
              f:backends: {}
          f:version: {}
    manager: cnrm-controller-manager
    operation: Update
    time: "2024-06-10T21:48:01Z"
  - apiVersion: gkehub.cnrm.cloud.google.com/v1beta1
    fieldsType: FieldsV1
    fieldsV1:
      f:status:
        .: {}
        f:conditions: {}
        f:observedGeneration: {}
    manager: cnrm-controller-manager
    operation: Update
    subresource: status
    time: "2024-06-10T21:48:04Z"
  name: gkehubfeaturemembership-sample
  namespace: default
  resourceVersion: "395175415"
  uid: dc7dafde-8610-44b8-b70f-bdc6a943c210
spec:
  configmanagement:
    configSync:
      git:
        policyDir: config-connector
        secretType: none
        syncBranch: master
        syncRepo: https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit
        syncRev: HEAD
        syncWaitSecs: "20"
      sourceFormat: unstructured
    hierarchyController:
      enableHierarchicalResourceQuota: true
      enablePodTreeLabels: true
      enabled: true
    policyController:
      auditIntervalSeconds: "20"
      enabled: true
      exemptableNamespaces:
      - test-namespace
      logDeniesEnabled: true
      monitoring:
        backends:
        - PROMETHEUS
        - CLOUD_MONITORING
      referentialRulesEnabled: true
      templateLibraryInstalled: true
    version: 1.18.1
  featureRef:
    name: gkehubfeaturemembership-dep-acm
  location: global
  membershipRef:
    name: gkehubfeaturemembership-dep-acm
  projectRef:
    external: projects/cnrm-ziyue
status:
  conditions:
  - lastTransitionTime: "2024-06-10T21:48:01Z"
    message: The resource is up to date
    reason: UpToDate
    status: "True"
    type: Ready
  observedGeneration: 2