What is the retry interval for config connector and is it configurable?

[red8888]

Sorry if this is documented somewhere but I havent been able to find it

Im experimenting with config connector and im trying to create a custom role for my config connector gsa that is scoped very tightly

What I have been doing is deploying, checking error messages for missing perms, updating the perms, waiting for config connector to retry to create/modify/delete the resource

This has been working but sometimes I have to wait a little while for it to retry. What is the retry interval and is it configurable? will re-applying the same manifest cause config connector to immediately retry creating the resource?

another example: at one point I didnt give config connector enough access to delete a resource so the finalizer hang until I gave it the right access and waited for config connector to retry deleting the resource

[xiaobaitusi]

Hi @red8888, thanks for your questions.

What is the retry interval and is it configurable?

On a successful apply, config connector will re-reconcile the resource after 10 mins; that being said, any drift between k8s CR and the underlying resource will be corrected on the next reconciliation.
However, if the initial reconciliation fails for some reason, config connector will retry on it with exponential backoff with 10-mins max
Currently it's not configurable.

will re-applying the same manifest cause config connector to immediately retry creating the resource?

Unfortunately no; applying the exact same manifest will not trigger an UPDATE on k8s api-sever, then config connector will be notified to reconcile. The workaround is to modify the metadata.labels to trigger an immediate retry.

[red8888]

thanks! good to know that if I want to initiate an immediate update I can modify/add a label to the CRD definition