-
Notifications
You must be signed in to change notification settings - Fork 193
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Folder / Project - make folder and org id a resourceRef (external or direct) #349
Comments
Thanks @tedelwartowski-bestbuy for this suggestion. What you described is the direction we want to take the product with eventually de-emphasizing the annotation. |
Hi @travisrandolph-bestbuy and @tedelwartowski-bestbuy, yes this is something we're working on actively. There's a design proposal undergoing internal review right now meant to address the particular problem described in this issue. We'll let you know when we have more updates on progress. |
Hi all, we've added support for Please note, however, that there is a known issue where you will not be able to delete a Also note that the To maintain consistency across our resources, we intend to roll out support for |
So when we want to create a project in a folder so in the manifest file of the project, how do we reference the folder id if we are trying to work in an automated way? |
If we want to create a folder and then create a project under that folder then how do we reference the folder in the resource Project's manifest file here also remember we need the automation? @jcanseco apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 |
Here's an example: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: Project
metadata:
name: my-project
spec:
name: My Project
folderRef:
name: my-folder
billingAccountRef:
external: "AAAAA-BBBBB-CCCCC-DDDDD"
---
apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: Folder
metadata:
name: my-folder
spec:
displayName: My Folder
organizationRef:
external: "123456789" |
So both resources will be in the same manifest and the dependency will be done by itself like firstly folder will be created and then the project will be created under that folder. right? @jcanseco |
Yep that's correct @yashsaini77. The |
"Also note that the folder-id and organization-id annotations for Project and Folder are now deprecated as a result. " @jcanseco @spew We actually worked out a directory structure using the annotation method. Is there no plan to keep both annotation and resourceRef working? Are there migration instructions? (because it sounds like upgrading to v1.43.0 may result in errors now) Basically we have a namespace in our KCC GKE cluster where the namespace is annotated using "To maintain consistency across our resources, we intend to roll out support for projectRef, folderRef, and organizationRef in place of the project-id, folder-id, and organization-id annotations for our other resources over the next few weeks." Doesn't that mean that the entire doc section in https://cloud.google.com/config-connector/docs/how-to/organizing-resources/overview will be obsolete in a few weeks? |
Hi @tonybenchsci. Your set-up should continue to work just fine. We made sure to keep backwards compatibility in mind when developing this feature. Here are the important points:
The only real behavioral change is the following:
Sort of, and we do plan to update it. Most of it still holds true though. The key difference is that the source of truth for which project/folder/organization a resource belongs to is now the resource's Before, namespace-level annotations were used to default resource-level annotations. Now, namespace-level annotations will be used to default references. Resources which already support resource-level annotations will continue to support them as a legacy feature, and they will be converted to references. Future resources will only support references. This is what I meant when I said that annotations will be deprecated. @tonybenchsci I hope that alleviates the concerns somewhat. Please let me know if you have any other questions. |
@jcanseco Thank you for the excellent explanation. We'll be upgrading now with the assurance of backwards compatibility; also acknowledging that migrating these resources in the future requires updating the new source-of-truth |
Hi @tonybenchsci, we recommend delaying an upgrade for now. We just detected an issue where the defaulting of references doesn't quite work when applying resources with You should not have the problem if you're not applying resources with We're working on a fix at the moment and will put out an update soon. Note that the only resources affected are Workaround: There is no problem if you explicitly specify |
@jcanseco Thanks but I already upgraded at the time of my last comment :) |
Hi @tonybenchsci, yep we've put out a fix in KCC 1.45.0. |
Thanks @jcanseco Another point: While we rely on |
Yes this is docs improvement we can consider. I was thinking it'd make sense to link to the docs on how to set up default projects/folders/orgs via namespace annotations, once we get around to updating those docs :)
Yes that will continue to work (and is something we test). |
@jcanseco We've upgraded to v1.47.0, but now get So it seems like the defaulting behaviours are broken, at least for BigQueryDataset resources, have changed. |
Hey @tonybenchsci, to confirm, are you saying you cannot create I just tried to reproduce locally, but was able to create a Could you share some more debugging info:
|
Thanks for getting back to me @jcanseco @spew . I should've given more information in my last comment :-)
This resource has been created months ago where kubectl apply would always return EDIT: This seems to be only an issue for BigQueryDatasets that don't have EDIT2: EDIT3: EDIT4: Server-side dry-run for pruning (via There might be something pretty flawed with the new projectRef implementions from this experience... Currently this resource is completely broken, because it cannot be abandoned. I cannot delete this resource because it contains critical data, and I suspect Is there another way to abandon? Maybe remove EDIT5: |
Hi @tonybenchsci, apologies that this is causing such a big problem. I wasn't able to reproduce the error when I ran Can you share the following with us to help with debugging?
|
If I do |
Thanks @tonybenchsci . It's interesting that the Can you scan through the controller's logs and see if there are any errors?
|
Well we have 100s of resources across many projects. So if I do Many of them are |
Gotcha, could you search for any of the following strings:
My suspicion is that the controller is failing to add the |
To unblock yourself (i.e. abandon all your
|
Thanks @jcanseco , but doesn't this just abandon all the BigQueryDatasets? We want to manage them. |
Ah yes, I provided steps for abandonment in case you needed them (e.g. if you're getting spammed by errors and just wish for them to stop).
Yes, it could be a real bug so we're currently trying to reproduce the issue, but so far we haven't had any luck, so we're continuing to investigate. If we can reproduce it, we will try to get a fix out ASAP since this would be considered a high-priority issue. |
All of them are of the type 3:
|
Thanks @tonybenchsci! That last comment helped us reproduce the issue. We'll work on a fix and update this thread accordingly. |
I'm guessing 1.48.0 doesn't have a fix, right? |
Hi @tonybenchsci, unfortunately no. We're working on a fix at the moment and will put out a patch release if we can get it in this week. We'll update you when that happens. |
Hi @tonybenchsci, we should have a fix for you in 1.49.0. Could you try it out once it's out and let us know if it works for you? It should be out by EOD. |
Great thanks @jcanseco |
@tonybenchsci, sorry for the delay in updating our release documentation and our operator. We'll have the operator storage bucket updated in an hour or so! |
@tonybenchsci, 1.49.0 should now be up in |
@caieo @jcanseco It worked after 1.49.0 thanks.
There must be a kubectl command to cancel a delete... EDIT: This is now resolved for us. Thanks again for such a prompt turnaround! |
Hi @tonybenchsci, great, happy to hear your issue has been resolved! |
@jcanseco Is this expected? I was expecting the folder-id annotation on a "kind: Project" to still be able to override the namespace level org-id annotation. And then have it do the automatic defaulting of folderRef, just like how the organizationRef is defaulted via the org-id annotation. |
Hi @tonybenchsci, yes that is expected behavior. Unfortunately, certain cases become quite complex and confusing from a UX perspective by continuing to allow mutations of container annotations, so it was decided to go for a "stop the bleeding" approach by making container annotations immutable. Note that container annotations had been mutable for only As a side-note: we do allow removal of container annotations once the resource has a hierarchical reference. This is done to allow users to prevent other people from potentially being confused by seeing both an annotation and a reference on a resource. |
@jcanseco We are ready to close this issue. We have moved our Folders over to the org/folder refs. |
Thanks for confirming, @travisrandolph-bestbuy ! |
This enhancement request is similar to what has been requested in #181 however I would like to propose changing how the reference to a folder or org id is handled in both a Folder and Project resource. Currently, reference to a folder or org id is handled via an annotation which makes it hard to maintain referential relationships between folders and projects. I would like to propose switching the reference of the folder or org id to be a resourceRef (external or direct) such that we can then maintain a referential hierarchy directly with our config connector manifests. Without this, maintaining relationships between folders and projects is manually intensive and impedes on our ability to properly implement automation for the platform.
The text was updated successfully, but these errors were encountered: