Config Connector release notes

Config Connector version 1.144.0 is now available.

New Beta Resources (Direct Reconciler):

• TagsLocationTagBinding
  • TagsLocationTagBinding is promoted to beta and now uses the direct reconciler by default.
  • Supports tagging of regional resources, including ArtifactRegistryRepository, CloudRun (RunJob, RunService), BigQueryDataset, BigQueryTable, and StorageBucket.
  • spec.location should be set to the region of the resource being tagged.

Bug Fixes:

• Fixed incorrect diffs in TagsLocationTagBinding caused by project number versus. project ID mismatches.

Reconciliation Improvements:

• TagsLocationTagBinding
  • Switched to direct reconciliation as the default reconciler.

Config Connector version 1.134.4 is now available.

Bug Fixes:

• #6035: Fixed an issue where managedFields metadata could be incorrectly attributed to the status subresource during spec updates, causing "Location must be set" errors.

#6065: Enabled Vertical Pod Autoscaler (VPA) support. You can enable VPA for Config Connector components via ControllerResource and NamespacedControllerResource to automatically adjust resource requests.

Config Connector version 1.143.0 is now available.

New Alpha Resources (Direct Reconciler):

• ParameterManagerParameter

New Beta Resources (Direct Reconciler):

• ArtifactRegistryRepository
• LoggingLink
• MemorystoreInstance
• PrivateCACAPool

New Features:

• Set GOMEMLIMIT for KCC workloads to improve memory management and stability.

New Fields:

• AlloyDBInstance
  • Added spec.connectionPoolConfig field.
  • Added status.connectionPoolConfig field.

Reconciliation Improvements:

• TagsTagBinding

  • Added support for organizations in parentRef.
  • Added support for multiple targets in parentRef.

• Resource References (refs.Ref) support added for the following resources to improve reference resolution:

  • BigQueryTable
  • BigQueryDataset
  • CloudRunService
  • CloudRunJob
  • ArtifactRegistryRepository
  • StorageBucket

Bug Fixes:

• Issue 6221: ComputeBackendService can now correctly refer to clientTLSPolicy.
• Issue 6156: BigQueryTable now ignores int64 to int32 schema changes when configured.
• Issue 6026: Fixed identity parsing for TagsTagValue.

Config Connector version 1.142.0 is now available.

New Beta Resources (Direct Reconciler):

• AlloyDBBackup
• AccessContextManagerAccessLevel

New Features:

• IAM: Added support for iam.cnrm.cloud.google.com/disable-dependent-services annotation.
• Added support for Cilium cluster-wide network policy.

New Fields:

• AlloyDBInstance
  • Added spec.observabilityConfig and spec.queryInsightsConfig fields.
• ContainerNodePool
  • Added spec.nodeConfig.enableNestedVirtualization field.

Reconciliation Improvements:

Added support for direct reconciliation to more resources, with opt-in behaviour. The API is unchanged. To use the direct reconciler, add the alpha.cnrm.cloud.google.com/reconciler: direct annotation to the corresponding Config Connector object. The following resources now have direct reconciliation support:

• TagsLocationTagBinding: Now supports direct reconciliation.

Bug Fixes:

• BatchJob: Fixed a bug where the resource could not be created.
• FirewallPolicyRule: Fixed an issue with updating the resource.
• IAMServiceAccountKey: Fixed an issue causing unnecessary re-reconciliation.
• Fixed a bug where ComputeBackendService could not refer to clientTLSPolicy due to an invalid format.
• Fixed a bug where interconnect attachments were not ignored.
• Fixed a bug in the GitHub MCP server.
• Fixed a bug in the private cluster endpoint for mockgcp.

Config Connector version 1.141.0 is now available.

New Features:

• Enabled Vertical Pod Autoscaler (VPA) support for Config Connector controllers.
• Added verticalPodAutoscalerMode field to ConfigConnector and ConfigConnectorContext resources.

New Fields:

• RunJob

  • Added spec.template.spec.containers[].port field.

• DataplexTask

  • Replaced project with projectRef.
  • Replaced serviceAccount with serviceAccountRef.
  • Replaced kmsKey with kmsKeyRef.

Bug Fixes:

• Fixed various issues in observedState handling for resources with reference fields.
• Fixed an issue where IAMPolicy and IAMPartialPolicy controllers would alphabetize the members field within the resource spec and write it back. This behavior can conflict with intent-based reconciliation from GitOps systems such as Config Sync, causing a loop of updates and potentially exhausting IAM read quotas.

Config Connector version 1.140.2 is now available.

• Fixed a bug where the IAMPolicy and IAMPartialPolicy controllers would alphabetize the members field within the resource spec and write it back. This behavior can conflict with intent-based reconciliation from GitOps systems such as Config Sync, causing a loop of updates and potentially exhausting IAM read quotas. This issue affected versions 1.140.0 and has now been patched in version 1.140.2.

Config Connector version 1.140.0 is now available.

New Beta Resources (Direct Reconciler):

• CertificateManagerCertificateIssuanceConfig
  • Manage Certificate Manager certificate issuance configurations for automating certificate issuance.

New Alpha Resources (Direct Reconciler):

• AssuredWorkloadsWorkload
  • Manage Assured Workloads workloads to support compliance and security requirements.
• ConfigDeliveryResourceBundle
  • Manage Config Delivery resource bundles for Config Sync.

New Fields:

• AlloyDBCluster
  • Added spec.restoreContinuousBackupSource and spec.restoreBackupSource fields to support restoring from a backup.
• BigQueryReservationAssignment
  • Added spec.jobType field.
• FirestoreDatabase
  • Added spec.deleteProtectionState field.
• FirestoreField
  • Added spec.ttlConfig field.
• RunJob
  • Added spec.template.template.containers.dependsOn field.

Reconciliation Improvements:

• Integrated Multi-Cluster Leader Election for improved reliability in multi-cluster setups.

• Fixed an issue where BigQueryReservationAssignment was not exposing externalRef.
• Fixed an issue with CertificateManagerDNSAuthorization API, Fuzzer and Mapper.
• Fixed an issue with FirestoreDatabase defaulting logic.

Config Connector version 1.139.0 is now available.

New Alpha Resources (Direct Reconciler):

• FirestoreField

New Features:

• The controller type is now reported at the start and end of reconciliation.
• Mockgcp now supports iap oauth brands and bigtable materializedview.

Reconciliation Improvements:

• IAM partial policy management

• Reduced the memory footprint of the recorder.
• SQLInstance: Fixed an issue where empty maintenanceVersion patches were sent. The settings and maintenanceVersion fields are now unmanaged.
• FirestoreDatabase: Fixed boolean value exports.

Config Connector version 1.138.0 is now available.

New Beta Resources (Direct Reconciler):

• BackupDRBackupVault
• OrgPolicyCustomConstraint

New Alpha Resources (Direct Reconciler):

• FirestoreBackupSchedule
• FirestoreDocument

Reconciliation Improvements:

• Improved Normalization logic for OrgPolicy, RunJob, TagsTagBinding, and VertexAIIndex resources.

Bug Fixes:

• Fixed format validation issue in the DataflowFlexTemplateJob direct controller when the spec.subnetworkRef.external field contains full URL.
• Updated status.observedGeneration in ConfigConnector object.

New Beta Resources (Direct Reconciler):

• DocumentAIProcessorVersion
• EssentialContactsContact
• BigQueryBigLakeTable
• BackupDRBackupPlan

Bug Fixes:

• Fixed an issue where ComputeBackendService backends were not sorted.
• Fixed an issue where CloudFunctionsFunction runtime was not a supported value.
• Fixed an issue with labels for BackupDRBackupPlan.
• Fixed an issue with labels for RunJob.
• Fixed a fuzzing issue for FirestoreField.
• Fixed an issue with KMSCryptoKey import.
• Fixed a flakiness issue in the MonitoringDashboard fuzzer.
• Fixed a flakiness issue in tests.
• Fixed an issue with bad labels in tests.
• Fixed an issue with etag in direct reconciliation.

New Alpha Resources (Direct Reconciler):

• BigtableMaterializedView
• MemorystoreInstance

Reconciliation Improvements:

• Enabled opt-in for IAM partial policy management.
• Enabled server-side apply for KMS resources.
• Improved reconciliation for BigtableLogicalView by using deep reflection.
• Improved reconciliation for FirestoreDatabase with identity pattern and export support.
• Improved reconciliation for RunJob with export support.
• Unified ComputeTargetTCPProxy direct API and controller.

New Fields:

• BigtableMaterializedView: Added spec.sourceTableRef and spec.definition.
• BackupDRBackupPlan: Added spec.backupConfig.retentionPeriodDays and spec.backupConfig.backupWindow.

Config Connector version 1.137.0 is now available.

Reconciliation Improvements:

• Introduced Stateful Reconciliation for Direct Controllers. With stateful reconciliation, the direct controller stores a hash of the last successfully applied .spec in the resource's .status. This provides a lightweight, GitOps-safe record when a user has modified the desired state of the resource.

New Beta Resources (Direct Reconciler):

• AssetFeed
• BigQueryReservationAssignment
• CloudDeployDeliveryPipeline
• ComposerEnvironment

Bug Fixes:

• Added support for checking etag in spec for alpha resources.
• Fixed an issue where CloudIdentityMembership roles comparison would fail.
• Fixed a bug where the wrong GVK was reported in IAM controller.
• Fixed a bug where errors were swallowed when reading a Secret.
• Fixed an issue with LRO endTime in mockgcp.
• Fixed a bug in the etag mapper.
• Fixed a bug in the mapper generator for slice and single object map.
• Fixed a bug in the mapper generator for OneOf if the input is not proto.Message.
• Fixed an import for refs in the same package in controllerbuilder.

New Fields:

• ComposerEnvironment
  • Added spec.storageConfig field.
  • Added spec.config.workloadsConfig.dagProcessor field.
  • Added spec.config.workloadsConfig.triggerer field.
  • Added spec.config.softwareConfig.webServerPluginsMode field.
  • Added spec.config.softwareConfig.cloudDataLineageIntegration field.

Config Connector version 1.136.1 is now available.

Config Connector version 1.134.1 is now available.

Bug Fixes:

• #5230: Fixed an issue that could lead to premature certificate rotation by ensuring errors are not swallowed when reading a Secret.
• #5231: Add more verbose logging during certificate validation to assist with debugging.

Bug Fixes:

• PR#5009 Fix the nil pointer dereference error in AlloyDB direct controller

Config Connector version 1.135.0 is now available.

New Fields:

• AlloyDBCluster
  • Added spec.databaseVersion field

New Beta Resources (Direct Reconciler):

• AssetSavedQuery
• PubSubSnapshot

Modified Beta Reconciliation: We migrated the following resources from the Terraform-based or DCL-based controller to the new Direct Controller.

• VMWareEngineExternalAddress

Improved reconciliation by migrating the following resources from the Terraform-based or DCL-based controller to the new direct controller. These resources are migrated automatically and you no longer need to apply the opt-in annotation to enable the direct controller:

• CloudIdentityGroup

• CloudIdentityMembership

Bug Fixes:

• ConfigConnectorContext:
  • PR#4995: status.observedGeneration is now being set on the ConfigConnectorContext.
  • PR#4657: Added spec.managerNamespace.
• SQLInstance:
  • PR#4838: Fixed bug in SQLInstance maintenanceVersion UPDATE operation
  • PR#4843: Set status on acquisition for SQLInstance controller
  • PR#4857: Support SQLInstance maintenanceVersion in CREATE operation

New Fields:

• ContainerCluster: DNS endpoint is supported in ContainerCluster.

Config Connector version 1.134.0 is now available.

New Beta Resources (Direct Reconciler):

• APIGatewayAPI

• AppHubApplication

• StorageAnywhereCache

New Alpha Resources (Direct Reconciler):

• BigtableLogicalView

Reconciliation Improvements

Added support for direct reconciliation to more resources, with opt-in behaviour. The API is backward compatible. The following resources now have direct reconciliation support

• BigQueryTable
  • Use the alpha.cnrm.cloud.google.com/reconciler: direct annotation on the BigQueryTable CR object to opt-in the direct controller.
  • The direct controller also supports adding BigQueryDataPolicies directly to BigQueryTable columns within spec.schema.

• PR#4808 filtered out Kubernetes labels that are invalid for Google Cloud in the ComputeForwardingRule direct controller, ensuring backward compatibility after migrating to the direct controller.

Config Connector version 1.133.0 is now available.

Config Connector version 1.132.1 is now available.

Reconciliation Improvements:

• SpannerInstance
  • You can opt-in the direct controller by adding the alpha.cnrm.cloud.google.com/reconciler: direct annotation to the SpannerInstance resource`.
  • Direct controller is opt-in if using the following fields:
    • spec.labels
    • spec.defaultBackupScheduleType
    • spec.edition
    • spec.autoscalingConfig

Reconciliation Improvements:

• BigtableAppProfile
  • You can opt-in the direct controller by adding the alpha.cnrm.cloud.google.com/reconciler: direct annotation to the BigtableAppProfile resource.
  • Added support for spec.dataBoostIsolationReadOnly field for resources reconciled by the direct controller.
• CloudIdentityGroup and CloudIdentityMembership
  • You can opt-in the direct controller by adding the alpha.cnrm.cloud.google.com/reconciler: direct annotation to the CloudIdentityGroup and CloudIdentityMembership resources.
  • With direct reconciliation, creating new resources will no longer write back the service-generated ID to spec.resourceID. To acquire a resource, you can find its resourceID from the last part of status.externalRef field, or via gcloud command or Cloud Console. The spec.resourceID field is used for acquisition only, leave the field unset when creating a new resource.

• Storage Bucket
  • Removed immutability constraint on spec.location and spec.customPlacementConfig.dataLocations fields. To learn more, see Relocate buckets.

New Alpha Resources (Direct Reconciler):

• OrgPolicyPolicy
• OrgPolicyCustomConstraint
• SpeechRecognizer
• StorageAnywhereCache

New Fields:

• SpannerInstance For opt-in direct controller,
  • Added spec.labels field.
  • Added spec.defaultBackupScheduleType field.
• SecretManagerSecret For opt-in direct controller,
  • Added spec.labels field.

Config Connector version 1.132.0 is now available.

New Beta Resources (Direct Reconciler):

• SpeechCustomClass
• SpeechPhraseSet
• SpeechRecognizer
• VertexAINotebooksInstance
• VertexAIMetadataStore

New Beta resources (direct reconciler)

• IAPSettings

New Alpha resources (direct reconciler)

• ComputeNetworkAttachment
• ComputeNetworkEdgeSecurityService
• DataplexEntryGroup
• DataplexEntryType
• DataplexTask
• DataplexZone
• DatastreamRoute
• DocumentAIVersion
• GKEBackupBackup
• GKEBackupRestore
• PubSubSnapshot
• SpeechCustomClass
• VMwareEngineExternalAddress
• MetastoreService
• MetastoreFederation
• MetastoreBackup
• APIQuotaPreference
• APIQuotaAdjusterSettings
• EventarcGoogleChannelConfig
• EventarcChannel
• AssetSavedQuery
• AssetFeed
• EssentialContactsContact
• DataCatalogEntryGroup
• DataCatalogEntry
• DataCatalogTagTemplate
• DataCatalogTag

Config Connector version 1.131.0 is now available.

• Fixed an issue: excessive compute.firewallPolicies.patchRule Logs triggered by Config Connector direct reconciliation.

New Fields

• GKEHubFeatureMembership

  • Added spec.configmanagement.configSync.stopSyncing in version1.129.

• SpannerInstance.

  • Added spec.defaultBackupScheduleType field.
  • Added spec.labels field

New Beta resources (direct reconciler)

• ApigeeEndpointAttachment

• ApigeeEnvgroupAttachment

• ApigeeInstanceAttachment

• ManagedKafkaTopic

• SecureSourceManagerInstance

• SecureSourceManagerRepository

New Alpha resources (direct reconciler)

• ApphubApplication
• BackupDRManagementServer
• BackupDRBackupVault
• BackupDRBackupPlan
• BackupDRBackupPlanAssociation
• BatchJob
• BigLakeTable
• BigQueryReservation
• CodeDeployDeliveryPipeline
• DataplexLake
• DatastreamPrivateConnection
• DatastreamConnectionProfile
• DocumentAIProcessor
• GKEBackupBackupPlan
• GKEBackupRestorePlan
• NetAppBackupPolicy
• NotebooksEnvironment
• SpannerInstanceConfig
• VertexAIFeaturestore
• VMwareEnginePrivateCloud
• VMwareEngineNetwork
• VMwareEngineNetworkPeering
• VMwareEngineNetworkPolicy
• WorkflowExecution

Config Connector version 1.130.2 is now available.

Reconciliation Improvements

Added support for direct reconciliation to more resources, with opt-in behaviour. The API is backward compatible. To use the direct reconciler, add the alpha.cnrm.cloud.google.com/reconciler: direct annotation to the corresponding Config Connector object. The following resources now have direct reconciliation support (and we list some of the issues that this fixes):

• SpannerInstance
  • You can use spec.edition field to optimize your enterprise edition type
  • You can use spec.autoscalingConfig to automate the scaling instead of manually configure spec.processingUnit or spec. numNodes.
  • You can use the defaultBackupScheduleType now.
  • Behavior Change If you use the SpannerInstance Kubernetes metadata.labels to configure your GCP labels, please change them to use the spec.labels field instead.

New Alpha resources (direct reconciler)

• ManagedKafkaTopic
• ApigeeInstanceAttachment
• ApigeeEnvgroupAttachment
• ApigeeEndpointAttachment

Reconciliation Improvements

• SQLInstance

  • All SQLInstance types are now reconciled using the new direct controller instead of the legacy Terraform-based controller. The previous "opt-in" annotation (document reference) no longer applies. Users no longer need to apply the "opt-in" annotation to SQLInstance resources to enable the direct controller. Regardless of the presence (or absence) of an opt-in annotation on SQLInstance resources, the direct reconciler will be used.
  • This change enables all SQLInstance resources to switch from edition ENTERPRISE to ENTERPRISE_PLUS and fixes the bug that prevented SQL Instance upgrade.

Config Connector version 1.129.2 is now available.

New Beta resources (direct reconciler)

• ManagedKafkaCluster

• ApigeeInstance

• AlloydbInstance

Reconciliation Improvements

• We have added support for direct reconciliation to more resources, with opt-in behaviour. The API is unchanged. To use the direct reconciler, add the alpha.cnrm.cloud.google.com/reconciler: direct annotation to the corresponding Config Connector object. The following resources now have direct reconciliation support:

  • AlloyDBInstance
  • SpannerInstance

New Alpha resources (direct reconciler)

• IAPSettings

  • Customize the Identity-Aware Proxy (IAP) settings for applications and services running on Google Cloud Platform.

• SecureSourceManangerInstance

• SecureSourceManangerRepository

Config Connector version 1.128.0 is now available.

DataformRepository fields validation error.

• Fixed the incorrect format validation for the following fields:

  • spec.gitRemoteSettings.authenticationTokenSecretVersionRef
  • spec.gitRemoteSettings.sshAuthenticationConfig.userPrivateKeySecretVersionRef
  • spec.npmrcEnvironmentVariablesSecretVersionRef

New Beta resources (direct reconciler)

• ApigeeEnvgroup

  • Define environment groups to specify the hostnames for routing traffic to Apigee environments.

• KMSAutokeyconfig

  • Manage the KMS auto key which simplifies the CMEKs provisioning and assignment.

New Fields

• SpannerInstance

  • You need to use the alpha.cnrm.cloud.google.com/reconciler: direct annotation on SpannerInstance resource to opt-in these features.

    • spec.autoscalingConfig
    • spec.edition

SecretManagerSecretVersion Reconciliation Improvements

• You can use the alpha.cnrm.cloud.google.com/reconciler: direct annotation on the object to opt-in the direct controller, which gives the following improvements:

  • Resolved update stalling caused by DependencyNotReady errors.
  • Fixed the friction in spec.enabled that enabling or disabling a secret version does not always take effect in GCP.
  • API Behavior Change The service generated ID is changed from spec.resourceID to status.version with status.externalRef (new field) to guardrail the identity.

• Dataflowflextemplatejob subnetwork validation error.
  • Error message should match regions/REGION/subnetworks/SUBNETWORK

New Fields

• BigQueryDataTransferConfig

  • Added spec.scheduleOptionsV2 to customize the different types of data transfer schedule.
  • Added status.observedState.error with detailed information about reason of the latest config failure.

• GkeHubFeatureMembership

  • Added spec.configmanagement.management to enable Config Sync Auto Upgrade. This is an opt-in feature and you need to turn on the alpha.cnrm.cloud.google.com/reconciler: direct annotation on the object.

Config Connector version 1.127.0 is now available.

New Beta resources (direct reconciler)

• BigQueryAnalyticsHubListing

• FirestoreDatabase

• WorkstationConfig

• Workstation

SecretManagerSecret Reconciliation Improvements

• You can use the alpha.cnrm.cloud.google.com/reconciler: direct annotation on the object to opt-in the direct controller, which gives the following improvements:

  • Enhanced spec.rotation.nextRotationTime to use a fixed datetime value to avoid relative now() friction.
  • Fixed the spec.replication.auto immutable issue
  • Added the in-use version aliases in status.observedState.versionAliases
  • Resolved update stalling issues.
  • Clarify the TTL use. See the problems and share your use in GitHub issue #3395

Config Connector version 1.126.0 is now available.

Use BigQueryConnectionConnection to provide the IAM Service Account

• IAMPolicyMember

  • Added spec.memberFrom.bigQueryConnectionConnectionRef
  • See an example on IAMPolicyMember use BigqueryConectionConnection "cloudSQL"

• IAMPartialPolicy

  • Added spec.memberFrom.bigQueryConnectionConnectionRef.

Config Connector system management CRDs ControllerReconciler and NamespacedControllerReconciler are promoted to Beta. See how to configure the Controller manager rate limit.

New Beta resources (direct reconciler)

• BigQueryTransferConfig

  • Manage the metadata needed to perform a BigQuery data transfer.

• KMSKeyHandle

  • Manage the provisioning of a CryptoKey.

New Alpha Resources

• Add new resource WorkstationConfig

Config Connector version 1.125.0 is now available.

New Beta resources (direct reconciler)

• BigQueryConnectionConnection

  • Manage connections to connect to Google services and external data sources

• BigQueryAnalyticsHubDataExchange

  • Manage data exchange to enable self-service data sharing

• PrivilegedAccessManagerEntitlement

  • Manage entitlements to grant for projects, folders, and organizations

• WorkstationCluster

  • Manage workstation cluster to define a group of workstations in a particular region and the VPC network they're attached to.

Added cluster mode to manage the rate-limit for the Config Connector requests

• You can set the rate-limit for the reconciling requests to the kube-apiserver in Cluster and Namespace mode.
• Configure NamespacedControllerReconciler (Alpha) for namespace mode. This is added since 1.119
• Configure ControllerReconciler (Alpha) for cluster mode. The ControllerReconciler shows an example.

SQLInstance Reconciliation Improvements

• You can use the alpha.cnrm.cloud.google.com/reconciler: direct annotation on the SQLInstance CR object to opt-in the direct controller.
• The direct reconciler contains 2 fix and improvement:
  • Fix the upgrade and downgrade issue between ENTERPRISE and ENTERPRISE_PLUS.
  • Supports creating from clone functionality via spec. cloneSource
• Migrated the SQLInstance from the Terraform-based or DCL-based controller to the new Direct Controller to enhance the reliability and performance. The CRD is unchanged.

ComputeFirewallPolicyRule Reconciliation Improvements

• You can use the alpha.cnrm.cloud.google.com/reconciler: direct annotation on the ComputeFirewallPolicyRule CR object to opt-in the direct controller, which fixes the targetResources error "required value priority could not be found".
• Migrated this resource from the Terraform-based controller to the new Direct Controller to enhance the reliability and performance. The resource CRD is unchanged.

AlloyDBInstance

• Added spec.networkConfig.enableOutboundPublicIp field.
• Added status.outboundPublicIpAddresses field.

Issue 2973 kubelet_config has insecure_kubelet_readonly_port_enabled: true set even if not configured in the ContainerNodePool object.

Issue 3007 ComputeBackendService cannot refer clientTLSPolicy due to invalid format

CertificateManagerDNSAuthorization

• Add the spec.Location field.

ComputeForwardingRule

• Added spec.target.googleApisBundle field (allowed values are all-apis or vpc-sc). Note, when configuring this field, the resource will use direct reconciliation.

CertificateManagerDNSAuthorization is migrated from the Terraform-based to the new Direct controller to enhance reliability and performance. The resource CRD is unchanged.

Config Connector version 1.124.0 is now available.

RedisCluster is promoted from alpha to beta (Direct Reconciler).

New Alpha Resources (Direct Reconciler)

• PrivilegedAccessManagerEntitlement
• BigQueryAnalyticsHubDataExchange

The direct resource development guide is now available for contributors

To improve the Config Connector resource development process, we have a new development guide to contributing resources to Config Connector with the direct reconciliation process. This new approach makes contributing more reliable and consistent with Kubernetes development practices. For more information, read the new Direct resource development guide.

Config Connector version 1.123.1 is now available.

BigQueryConnectionConnection (v1alpha1) now uses direct reconciliation.

BigQueryDataTransferConfig (v1alpha1) now uses direct reconciliation.

If you use the CloudIdentityGroup, CloudBuildTrigger and FirestoreIndex resources, do not use version 1.123.0, as it contains regression issues for these resources due to the state-into-spec setting.

DataformRepository is promoted from alpha to beta.

Config Connector switches between the Direct and TF-based reconcilers depending on the SQLInstances objects' use of the spec.cloneSource field

Starting from this version, all new CustomResources (CRs) have the cnrm.cloud.google.com/state-into-spec annotation field default to absent. For more information about this behavior, see the spec fields documentation. The behavior of existing CRs is not impacted by this change.

You can use the alpha.cnrm.cloud.google.com/reconciler: direct annotation on DataflowFlexTemplateJob resource to opt-in the Direct Cloud Reconciler, which provides an advanced status update solution for some timeout issues.

Added FirestoreDatabase (v1alpha1). This uses direct reconciliation.

Config Connector version 1.122.0 is now available.

RunJob

Add the spec.template.template.volumes[].cloudSqlInstance field to configure Cloud SQL instance.

ContainerCluster

The spec.nodeConfig.taint can be updated in place in lieu of destroying and recreating the object.

RedisCluster (Alpha) now uses direct reconciliation.

Added RedisCluster (Alpha) resource for service Redis.

SQLInstance now uses direct reconciliation.

SQLInstance

Add the spec.cloneSource field to clone a SQLInstance.

ContainerNodePool

The spec.nodeConfig.taint can be updated in place in lieu of destroying and recreating the object.

The state-into-spec field now defaults to Absent in all Config Controller clusters.

Config Connector version 1.121.0 is now available.

The state-into-spec field now defaults to Absent in any new Config Controller clusters.

Starting in version 1.122, this will be the default for all Config Controller clusters.

Starting in version 1.123, this will be the default for all Config Connector clusters.

BigQueryTable

• Added spec.requirePartitionFilter field. This release note was added on August 20.

BigQueryConnection

• Added status.observedState field to store the output-only fields which are previously mistakenly defined in spec.

DataformRepository (Alpha) now uses direct reconciliation.

BigtableInstance

• When autoscaling is enabled (spec.cluster[].autoscalingConfig.), does not use numNodes (spec.cluster[].numNodes=2) as that applies only to manual scaling.

MonitoringDashboard

• Added dashboardFilters support.
• Added alertChart widgets.
• Added collapsibleGroup widgets.
• Added pieChart widgets.
• Added sectionHeader widgets.
• Added singleViewGroup widgets.

• Added timeSeriesTable widgets.

• Added blankView to scorecard widgets.

• Added dataSets.targetAxis and y2Axis fields to xyChart widgets.

• Added id field to all widgets.

• Added prometheusQuery and outputFullDuration to timeSeriesQuery.

• Added style fields to text widgets.

• Added targetAxis field to thresholds.

StorageBucket

• Added spec.softDeletePolicy field.
• Added status.observedState.softDeletePolicy field.

AlloyDBInstance

• Added networkConfig field to support Public-IP feature.

IAM configuration can now be applied to PrivateCACAPool.

CloudBuildWorkerPool is promoted from alpha to beta.

Config Connector version 1.120.1 is now available.

MonitoringAlertPolicy

• Added spec.severity field.

ComputeMangedSSLCertificate is promoted from alpha to beta.

CloudIDSEndpoint is promoted from alpha to beta.

You can configure the ConfigConnector operator to roll back to install the v1.119.0 controllers by specifying spec.version: 1.119.0 in the ConfigConnectorContext CR (namespaced mode).

Added options to customize resource reconciliation for ConfigConnector

• Added a new ControllerReconciler CRD (v1alpha1). See example.
• This feature lets you customize the client-side kube-apiserver request rate limit.

Added ComputeServiceAttachment (v1beta1) resource for service compute

• Added ComputeServiceAttachment as dependency of ComputeForwardingRule through spec.target.serviceAttachmentRef.

Added three output-only fields for ContainerCluster

• Added status.observedState.masterAuth.clusterCaCertificate
• Added status.observedState.privateClusterConfig.privateEndpoint
• Added status.observedState.privateClusterConfig.publicEndpoint

The Direct Controller is now the default reconciler

• Initialize the Direct Controller registration
• Set the default reconciler to Direct Controller if the ConfigConnector CRD does not have cnrm.cloud.google.com/tf2crd: "true" or cnrm.cloud.google.com/dcl2crd: "true" label.

Added CloudBuildWorkerPool (v1alpha1) resource for service cloudbuild

Config Connector version 1.119.0 is now available.

Added MonitoringDashboard (v1beta1) resource for service monitoring

LoggingLogMetric

• Change .spec.projectRef.kind from required to be optional.
• If this field is given, it has to be .spec.projectRef.kind: Project.

Config Connector version 1.118.2 is now available.

Config Connector version 1.118.1 is now available.

This release introduces the direct-reconciliation mechanism to reconcile Config Connector resources. The reconciliation makes API calls directly instead of going through a third-party library. Currently it only applies to LoggingLogMetric.

SQLInstance avoids a bug causing repeated reconciliation when spec.settings.edition was configured with a non-empty value.

Added support for ComputeNetworkFirewallPolicyRule resource (v1alpha1).

LoggingLogMetric

• Added spec.loggingLogBucketRef field to support bucket reference.

LoggingLogMetric now uses direct reconciliation.

Config Connector version 1.117.0 is now available.

VertexAIEndpoint is promoted from alpha to beta.

• Output fields are now in status.observedState.

• The KMS key is now specified using a reference: spec.encryptionSpec.kmsKeyNameRef

• The network is now specified using a reference: spec.networkRef

ComputeNetwork

• The spec.enableUlaInternalIpv6 field is no longer immutable - it can now be changed without recreating the network.

VertexAIDataSet is promoted from alpha to beta.

• Output fields are now in status.observedState.

• The KMS key is now specified using a reference: spec.encryptionSpec.kmsKeyNameRef

This release improves our support for VertexAI.

VertexAIIndex is promoted from alpha to beta.

• Output fields are now in status.observedState.

• Note that isCompleteOverwrite is currently not supported: it is not obviously compatible with declarative operation.

Config Connector version 1.116.0 is now available.

An error treats merge as invalid value in cnrm.cloud.google.com/state-into-spec annotation in IAMPolicy, IAMPartialPolicy, IAMPolicyMember, and IAMAuditConfig resources. Upgrading Config Connector to 1.117 or newer versions can fix the issue.

DNSRecordSet

• Added spec.routingPolicy.geo.healthCheckedTargets field.

• Added spec.routingPolicy.primaryBackup field.

• Added spec.routingPolicy.wrr field.

ContainerNodePool

• Added spec.nodeConfig.linuxNodeConfig.cgroupMode field.

This release includes enhanced support for DNSRecordSet, enabling advanced configurations such as geo-routing, primary/backup, and weighted round-robin load-balancing.

EventArcTrigger

• Added spec.destination.httpEndpoint field.

• Added spec.destination.networkConfig field.

ContainerCluster

• Added spec.nodeConfig.linuxNodeConfig.cgroupMode field.

LoggingLogBucket

• Added spec.enableAnalytics field.

Improved support for AlloyDB, by adding new fields to AlloyDBCluster and AlloyDBInstance.

Config Connector version 1.115.0 is now available.

AlloyDBCluster

• Added spec.clusterType field.

• Added spec.deletionPolicy field.

• Added spec.secondaryConfig field.

AlloyDBInstance

• Added spec.instanceTypeRef field.

Initial support (alpha stability) for pausing reconciliation, by setting spec.actuationMode: Paused in the ConfigConnectorContext.

AccessContextManagerServicePerimeterResource is promoted from alpha to beta

GKEHubFeatureMembership

• Added spec.policycontroller field.

Fixed resource deletion of AlloyDBInstance and EdgeContainerNodePool when their "parent objects" no longer exist.

Added support for APIKeysKey (v1alpha1) resource.

ComputeTargetHttpsProxy

• Added spec.certificateManagerCertificates field.

SQLInstance and ComputeBackendService now have additional safeguards against populating plain-text secrets back into the object.

BigQueryDataSet

• Added access[].iamMember field.

Initial support (alpha stability) for defaulting state-into-spec to absent (the recommended setting), by setting spec.stateIntoSpec: Absent in the ConfigConnectorContext.

DNSRecordSet

• Added spec.routingPolicy field.

Config Connector version 1.114.1 is now available.

Added support for ComputeNetworkFirewallPolicyAssociation (v1beta1) resource.

ComputeAddress

• Added status.observedState.address field.

Config Connector version 1.113.0 is now available.

Initial support for status.observedState in ContainerCluster, ContainerNodePool and RedisInstance.

To encourage use of cnrm.cloud.google.com/state-into-spec: absent, you can now use status.observedState in ContainerCluster, ContainerNodePool and RedisInstance. Some important resource information (such as the certificate for connecting to a GKE cluster) is currently only available in spec, and we recommend instead reading this resource information from observedState if available. More fields may be added to observedStatein the future.

Added support for TagsLocationTagBinding (v1alpha1) resource.

Resource RunJob (CloudRun Job):

• Added spec.template.vpcAccess.connectorRef field.

Added support for ComputeNetworkFirewallPolicy (v1beta1) resource.

Resource BigtableAppProfile(v1beta1):

• Added spec.standardIsolation field.

Added support for EdgeContainerCluster (v1beta1) and EdgeContainerNodePool (v1beta1) resources.

Added support for EdgeNetworkNetwork (v1beta1) and EdgeNetworkSubnet (v1beta1) resources.

Fixed the SecretKeyRef in the Go client. (Issue #598.)

Added support for AlloyDBUser (v1beta1) resource.

Config Connector version 1.112.0 is now available.

Added name validation for ValidatingWebhookConfigurationCustomization and MutatingWebhookConfigurationCustomization CRDs.

Added support for AlloyDBBackup (v1beta1) resource.

Resource ContainerNodePool(v1beta1):

• Added spec.nodeConfig.fastSocket field.

Added validation for duplicate webhooks in spec.webhooks list of the customizable ControllerResource and NamespacedControllerResource CRDs.

Resource ContainerCluster(v1beta1):

• Added spec.nodeConfig.fastSocket field.

Fixed an reconciliation issue in ComputeManagedSSLCert resource. Issue #107.

Resource ComputeTargetHTTPSProxy(v1beta1):

• Added spec.serverTlsPolicyRef field.

Added support for AlloyDBInstance (v1beta1) resource.

Resource ComputeSubnetwork(v1beta1):

• Added status.internalIpv6Prefix field.

Added support for ContainerAttachedCluster (v1beta1) resource.

Resource SecretManagerSecretVersion(v1beta1):

• Added spec.isSecretDataBase64 field.

Fixed issue of the retrieved maxWorkers in DataflowFlexTemplateJob resource.

Resource RunJob(v1beta1):

• Added spec.template.template.vpcAccess.networkInterfaces field.

Added errors on invalid webhook names into status of ValidatingWebhookConfigurationCustomization and MutatingWebhookConfigurationCustomization custom resources.

Fixed an issue in ComputeForwardingRule resource when used with PSC. Issue #763.

Added support for AlloyDBCluster (v1beta1) resource.

Resource AlloyDBCluster(v1beta1):

• Added spec.networkConfig field.

Config Connector version 1.111.0 is now available.

Graduated ValidatingWebhookConfigurationCustomization, MutatingWebhookConfigurationCustomization, ControllerResource and NamespacedControllerResource CRDs to v1beta1.

Resource NetworkConnectivitySpoke(v1beta1):

• Added spec.linkedVPCNetwork field.

Resource RunService(v1beta1):

• Added spec.template.vpcAccess.networkInterfaces field.

Resource ContainerNodePool(v1beta1):

• Added spec.nodeConfig.confidentialNodes field.

Added MutatingWebhookConfigurationCustomization and ValidatingWebhookConfigurationCustomization to support the customization on webhook timeouts.

Resource StorageBucket(v1beta1):

• spec.autoclass.enabled is now mutable.

Resource SecretManagerSecret(v1beta1):

• Added spec.replication.auto field.

Resource DialogflowCXFlow(v1alpha1):

• Added spec.eventHandlers.items.triggerFulfillment.conditionalCases field.
• Added spec.eventHandlers.items.triggerFulfillment.setParameterActions field.
• Added spec.eventHandlers.items.triggerFulfillment.messages.items.channel field.
• Added spec.eventHandlers.items.triggerFulfillment.messages.items.conversationSuccess field.
• Added spec.eventHandlers.items.triggerFulfillment.messages.items.liveAgentHandoff field.
• Added spec.eventHandlers.items.triggerFulfillment.messages.items.outputAudioText field.
• Added spec.eventHandlers.items.triggerFulfillment.messages.items.payload field.
• Added spec.eventHandlers.items.triggerFulfillment.messages.items.playAudio field.
• Added spec.eventHandlers.items.triggerFulfillment.messages.items.telephonyTransferCall field.
• Added spec.transitionRoutes.items.triggerFulfillment.conditionalCases field.
• Added spec.transitionRoutes.items.triggerFulfillment.setParameterActions field.
• Added spec.transitionRoutes.items.triggerFulfillment.messages.items.channel field.
• Added spec.transitionRoutes.items.triggerFulfillment.messages.items.conversationSuccess field.
• Added spec.transitionRoutes.items.triggerFulfillment.messages.items.liveAgentHandoff field.
• Added spec.transitionRoutes.items.triggerFulfillment.messages.items.outputAudioText field.
• Added spec.transitionRoutes.items.triggerFulfillment.messages.items.payload field.
• Added spec.transitionRoutes.items.triggerFulfillment.messages.items.playAudio field.
• Added spec.transitionRoutes.items.triggerFulfillment.messages.items.telephonyTransferCall field.

Promoted CertificateManagerCertificate, CertificateManagerCertificateMap, CertificateManagerCertificateMapEntry and CertificateManagerDNSAuthorization from v1alpha1 to v1beta1.

Resource ComputeInstanceTemplate(v1beta1):

• Added spec.networkInterface.items.internalIpv6PrefixLength field.
• Added spec.networkInterface.items.ipv6Address field.

Resource ContainerCluster(v1beta1):

• Added spec.enableFqdnNetworkPolicy field.
• Added spec.nodeConfig.confidentialNodes field.

Resource RunJob(v1beta1):

• spec.template.template.volumes[].secret.items[].mode is now optional.

Resource VertexAIIndexEndpoint(v1alpha1):

• Added spec.publicEndpointEnabled field.
• Added status.publicEndpointDomainName field.

Resource DialogflowCXPage(v1alpha1):

• Added spec.entryFulfillment.conditionalCases field.
• Added spec.entryFulfillment.setParameterActions field.
• Added spec.entryFulfillment.messages.items.channel field.
• Added spec.entryFulfillment.messages.items.conversationSuccess field.
• Added spec.entryFulfillment.messages.items.liveAgentHandoff field.
• Added spec.entryFulfillment.messages.items.outputAudioText field.
• Added spec.entryFulfillment.messages.items.payload field.
• Added spec.entryFulfillment.messages.items.playAudio field.
• Added spec.entryFulfillment.messages.items.telephonyTransferCall field.
• Added spec.eventHandlers.items.triggerFulfillment.conditionalCases field.
• Added spec.eventHandlers.items.triggerFulfillment.setParameterActions field.
• Added spec.eventHandlers.items.triggerFulfillment.messages.items.channel field.
• Added spec.eventHandlers.items.triggerFulfillment.messages.items.conversationSuccess field.
• Added spec.eventHandlers.items.triggerFulfillment.messages.items.liveAgentHandoff field.
• Added spec.eventHandlers.items.triggerFulfillment.messages.items.outputAudioText field.
• Added spec.eventHandlers.items.triggerFulfillment.messages.items.payload field.
• Added spec.eventHandlers.items.triggerFulfillment.messages.items.playAudio field.
• Added spec.eventHandlers.items.triggerFulfillment.messages.items.telephonyTransferCall field.
• Added spec.form.parameters.items.defaultValue field.
• Added spec.form.parameters.items.fillBehavior.repromptEventHandlers field.
• Added spec.form.parameters.items.fillBehavior.initialPromptFulfillment.conditionalCases field.
• Added spec.form.parameters.items.fillBehavior.initialPromptFulfillment.setParameterActions field.
• Added spec.form.parameters.items.fillBehavior.initialPromptFulfillment.messages.items.channel field.
• Added spec.form.parameters.items.fillBehavior.initialPromptFulfillment.messages.items.conversationSuccess field.
• Added spec.form.parameters.items.fillBehavior.initialPromptFulfillment.messages.items.liveAgentHandoff field.
• Added spec.form.parameters.items.fillBehavior.initialPromptFulfillment.messages.items.outputAudioText field.
• Added spec.form.parameters.items.fillBehavior.initialPromptFulfillment.messages.items.payload field.
• Added spec.form.parameters.items.fillBehavior.initialPromptFulfillment.messages.items.playAudio field.
• Added spec.form.parameters.items.fillBehavior.initialPromptFulfillment.messages.items.telephonyTransferCall field.
• Added spec.transitionRoutes.items.triggerFulfillment.conditionalCases field.
• Added spec.transitionRoutes.items.triggerFulfillment.setParameterActions field.
• Added spec.transitionRoutes.items.triggerFulfillment.messages.items.channel field.
• Added spec.transitionRoutes.items.triggerFulfillment.messages.items.conversationSuccess field.
• Added spec.transitionRoutes.items.triggerFulfillment.messages.items.liveAgentHandoff field.
• Added spec.transitionRoutes.items.triggerFulfillment.messages.items.outputAudioText field.
• Added spec.transitionRoutes.items.triggerFulfillment.messages.items.payload field.
• Added spec.transitionRoutes.items.triggerFulfillment.messages.items.playAudio field.
• Added spec.transitionRoutes.items.triggerFulfillment.messages.items.telephonyTransferCall field.

Added value validation for resource requests and limits in the customizable ControllerResource and NamespacedControllerResource CRDs.

Resource SecretManagerSecretVersion(v1beta1):

• Added spec.deletionPolicy field.

Resource ComputeInstance(v1beta1):

• Added spec.networkInterface.items.internalIpv6PrefixLength field.
• Added spec.networkInterface.items.ipv6Address field.

Promoted RunService from alpha stability to stable stability.

• Renamed field spec.template.containerConcurrency to spec.template.maxInstanceRequestConcurrency.
• Fixed the IAM support by removing the support of "IAM conditions" on this resource.
• Removed field status.resourceGeneration.

Config Connector version 1.110.0 is now available.

Resource BigQueryTable(v1beta1):

• Added spec.tableConstraints field.
• Added spec.materializedView.allowNonIncrementalDefinition field.

Resource BigtableGCPolicy(v1beta1):

• Fixed a bug that generates unexpected diff when mode and gcRules are both specified.
• Fixed a bug that generates unexpected diff when maxAge in gcRules is specified with units larger than hours.

Resource CloudFunctions2Function(v1alpha1):

• Added spec.kmsKeyName field.

Added support for ComputeRegionSSLPolicy (v1alpha1) resource.

Resource ArtifactRegistryRepository(v1beta1):

• Added spec.cleanupPolicies field.
• Added spec.cleanupPolicyDryRun field.

Added name validation for the customizable ControllerResource CRDs.

Resource ComputeAddress(v1beta1):

• Added spec.ipv6EndpointType field.

Resource RunJob(v1beta1):

• Added status.createTime field.
• Added status.creator field.
• Added status.deleteTime field.
• Added status.expireTime field.
• Added status.lastModifier field.
• Added status.updateTime field.

• Added support for CloudIOTDeviceRegistry (v1alpha1) resource.

Resource WorkstationsWorkstationCluster(v1alpha1):

• Added spec.privateClusterConfig.allowedProjects field.

Resource SpannerDatabase(v1beta1):

• Added spec.enableDropProtection field.

Resource BigQueryTable(v1beta1):

• Added spec.maxStaleness field.
• Added spec.externalDataConfiguration.fileSetSpecType field.

Resource ContainerCluster(v1beta1):

• Added spec.allowNetAdmin field.
• Added spec.enableK8sBetaApis field.
• Added spec.enableMultiNetworking field.
• Added spec.ipAllocationPolicy.additionalPodRangesConfig field.
• Added spec.monitoringConfig.advancedDatapathObservabilityConfig field.
• Added spec.nodeConfig.hostMaintenancePolicy field.

Resource ComputeBackendService(v1beta1):

• Added spec.securityPolicy field.
• Added spec.connectionTrackingPolicy.enableStrongAffinity field.

Resource AlloyDBCluster(v1alpha1):

• Added spec.continuousBackupConfig field.
• Added spec.restoreBackupSource field.
• Added spec.restoreContinuousBackupSource field.
• Added status.continuousBackupInfo field.

Resource MonitoringAlertPolicy(v1beta1):

• Added spec.conditions.items.conditionPrometheusQueryLanguage field.

Resource PubSubSubscription(v1beta1):

• Added spec.cloudStorageConfig field.
• Added spec.pushConfig.noWrapper field.

Resource SQLInstance(v1beta1):

• Added spec.settings.ipConfiguration.pscConfig field.
• Added status.dnsName field.
• Added status.pscServiceAttachmentLink field.

Fixed spec.webhookConfig.secretRef field in CloudBuildTrigger.

Resource ComputeTargetPool(v1beta1):

• Added spec.securityPolicyRef field.

Resource DNSManagedZone(v1beta1):

• Removed spec.privateVisibilityConfig.required field.

Resource FirebaseAndroidApp(v1alpha1):

• Added spec.apiKeyId field.

Resource HealthcareFHIRStore(v1alpha1):

• Added spec.defaultSearchHandlingStrict field.
• Added spec.notificationConfigs.items.sendPreviousResourceOnDelete field.
• Added spec.streamConfigs.items.bigqueryDestination.schemaConfig.lastUpdatedPartitionConfig field.

Resource IAMWorkforcePoolProvider(v1beta1):

• Added spec.oidc.clientSecret field.
• Added spec.oidc.jwksJson field.
• Added spec.oidc.webSsoConfig.additionalScopes field.
• Added status.oidc field.

Field spec.containers is no longer required in the customizable ControllerResource CRDs.

Config Connector version 1.109.0 is now available.

Resource EventarcTrigger(v1beta1):

• Added spec.eventDataContentType field.

Resource ComputeTargetInstance(v1beta1):

• Added spec.securityPolicyRef field.

Added support for VertexAIIndexEndpoint (v1alpha1) resource.

Resource ContainerNodePool(v1beta1):

• Added spec.networkConfig.additionalNodeNetworkConfigs field.
• Added spec.networkConfig.additionalPodNetworkConfigs field.
• Added spec.nodeConfig.hostMaintenancePolicy field.
• Added spec.placementPolicy.policyNameRef field.

Resource ComputeSecurityPolicy(v1beta1):

• Added spec.advancedOptionsConfig.userIpRequestHeaders field.

Resource ComputeInstanceTemplate(v1beta1):

• Added spec.disk.items.provisionedIops field.
• Added spec.networkInterface.items.ipv6AccessConfig.items.name field.
• Added spec.scheduling.localSsdRecoveryTimeout field.

Resource CloudBuildTrigger(v1beta1):

• Added spec.gitFileSource.bitbucketServerConfigRef field.
• Added spec.sourceToBuild.bitbucketServerConfigRef field.

Resource ComputeInstance(v1beta1):

• Added spec.networkInterface.items.ipv6AccessConfig.items.name field.
• Added spec.scheduling.localSsdRecoveryTimeout field.

Resource SecretManagerSecret(v1beta1):

• Added spec.annotations field.
• Added spec.versionAliases field.

Resource FirebaseWebApp(v1alpha1):

• Added spec.apiKeyId field.

Resource ComputeURLMap(v1beta1):

• Added spec.pathMatcher.items.routeRules.items.matchRules.items.pathTemplateMatch field.
• Added spec.pathMatcher.items.routeRules.items.routeAction.urlRewrite.pathTemplateRewrite field.

Resource ComputeTargetHTTPProxy(v1beta1):

• Added spec.httpKeepAliveTimeoutSec field.

Resource HealthcareFHIRStore(v1alpha1):

• Added spec.complexDataTypeReferenceParsing field.

Resource ContainerNodePool(v1beta1):

• Added spec.nodeConfig.guestAccelerator.items.gpuDriverInstallationConfig field.
• Added spec.nodeConfig.soleTenantConfig field.
• Added spec.placementPolicy.tpuTopology field.

Resource BigQueryTable(v1beta1):

• Added spec.externalDataConfiguration.jsonOptions field.
• Added spec.externalDataConfiguration.metadataCacheMode field.
• Added spec.externalDataConfiguration.objectMetadata field.
• Added spec.externalDataConfiguration.parquetOptions field.

Resource CloudFunctions2Function(v1alpha1):

• Added status.url field.

Resource ComputeTargetHTTPSProxy(v1beta1):

• Added spec.httpKeepAliveTimeoutSec field.

Resource ComputeDisk(v1beta1):

• Added spec.enableConfidentialCompute field.
• Added spec.provisionedThroughput field.

Resource ComputeInstanceTemplate(v1beta1):

• Added spec.networkInterface.items.networkAttachment field.

Added support for customization on cnrm-controller-manager pods resource requests/limits in namespaced mode.

Added support for customization on cnrm-unmanaged-detector pods resource requests/limits.

Resource RedisInstance(v1beta1):

• Added status.maintenanceSchedule field.

Resource GKEBackupBackupPlan(v1alpha1):

• Added status.state field.
• Added status.stateReason field.

Resource BigtableTable(v1beta1):

• Added spec.changeStreamRetention field.

Resource VertexAIFeaturestoreEntityTypeFeature(v1alpha1):

• Added status.region field.

Resource ComputeExternalVPNGateway(v1beta1):

• Added status.labelFingerprint field.

Added support for BigQueryReservationCapacityCommitment resource(v1alpha1).

Resource SQLInstance(v1beta1):

• Added spec.settings.dataCacheConfig field.
• Added spec.settings.edition field.

Resource CertificateManagerCertificate(v1alpha1):

• Added spec.managed.issuanceConfig field.

Resource ComputeInstance(v1beta1):

• Added spec.params field.
• Added spec.bootDisk.initializeParams.resourceManagerTags field.

Resource DataformRepository(v1alpha1):

• Added spec.workspaceCompilationOverrides field.

Resource ContainerCluster(v1beta1):

• Added spec.nodeConfig.guestAccelerator.items.gpuDriverInstallationConfig field.
• Added spec.nodeConfig.soleTenantConfig field.
• Added spec.securityPostureConfig field.

Resource ComputeForwardingRule(v1beta1):

• Added spec.noAutomateDnsZone field.

Resource VertexAIIndex(v1alpha1):

• Added spec.metadata.config.shardSize field.

Resource RunJob(v1beta1):

• Added spec.annotations field.
• Added spec.template.annotations field.

Resource BigQueryDataset(v1beta1):

• Added spec.storageBillingModel field.

Config Connector version 1.108.0 is now available.

Resource DataflowFlexTemplateJob(v1beta1):

• Added spec.additionalExperiments field.
• Added spec.autoscalingAlgorithm field.
• Added spec.enableStreamingEngine field.
• Added spec.ipConfiguration field.
• Added spec.kmsKeyNameRef field.
• Added spec.launcherMachineType field.
• Added spec.machineType field.
• Added spec.maxWorkers field.
• Added spec.networkRef field.
• Added spec.numWorkers field.
• Added spec.sdkContainerImage field.
• Added spec.serviceAccountEmailRef field.
• Added spec.stagingLocation field.
• Added spec.subnetworkRef field.
• Added spec.tempLocation field.
• Added spec.transformNameMapping field.

Config Connector version 1.107.0 is now available.

Added GOMEMLIMIT environment variable (default value is set to 110MiB) to the webhook container in cnrm-webhook-manager. It sets a runtime memory limit for the webhook container, which helps in GC-related out-of-memory ("OOM") situations.

Optimized HPA rule for cnrm-webhook-manager with targetCPUUtilizationPercentage adjusted from 90 to 70.

Resource BigQueryDataset(v1beta1):

• Added spec.access.routine field.

Added support for customization on cnrm-webhook-manager pod replicas.

Resource MonitoringAlertPolicy(v1beta1):

• Added spec.alertStrategy.notificationChannelStrategy field.
• Added spec.conditions.items.conditionThreshold.forecastOptions field.

Resource ComputeImage(v1beta1):

• Added spec.storageLocations field.

Resource SQLInstance(v1beta1):

• Added spec.settings.advancedMachineFeatures field.

Added support for KMS key deletion when being orphaned.

Disabled abandon-on-uninstall webhook.

Added support for customization on cnrm-webhook-manager, cnrm-controller-manager, cnrm-resource-stats-recorder and cnrm-deletiondefenderpods resource requests/limits.

Added support for RunJob resource.

Resource VPCAccessConnector(v1beta1):

• Added status.selfLink field.

Resource DataflowFlexTemplateJob(v1beta1):

• Added status.type field.

Config Connector version 1.106.0 is now available.

Resource DatastreamStream(v1alpha1):

• Added spec.sourceConfig.mysqlSourceConfig.maxConcurrentBackfillTasks field.

Resource GKEHubFeature(v1beta1):

• Added spec.spec.fleetobservability field.

Resource StorageTransferJob(v1beta1):

• Added spec.transferSpec.awsS3DataSource.path field.

Optimized HPA rule for cnrm-webhook-manager with new memory targetAverageUtilization.

Resource ComputeDisk(v1beta1):

• Added spec.guestOsFeatures field.
• Added spec.licenses field.

Resource CertificateManagerCertificate(v1alpha1):

• Added spec.location field.

Resource VertexAIEndpoint(v1alpha1):

• Added spec.region field.

Resource ComputeRouterPeer(v1beta1):

• Added spec.enableIpv6 field.

• Added spec.ipv6NexthopAddress field.

• Added spec.peerIpv6NexthopAddress field.

Resource ContainerCluster(v1beta1):

• Added spec.addonsConfig.gcsFuseCsiDriverConfig field.

Config Connector version 1.105.0 is now available.

Resource AlloyDBCluster(v1alpha1):

• Added spec.encryptionConfig field.

• Added spec.automatedBackupPolicy.encryptionConfig field.

• Added status.encryptionInfo field.

Resource WorkflowsWorkflow(v1alpha1):

• Added spec.cryptoKeyName field.

Resource ComputeBackendService(v1beta1):

• Added spec.cdnPolicy.bypassCacheOnRequestHeaders field.

Resource ComputeNetworkPeering(v1beta1):

• Added spec.stackType field.

Resource ComputeResourcePolicy(v1beta1):

• Added spec.diskConsistencyGroupPolicy field.

Fixed the issue that the SecretManagerSecretVersion resource stuck in DeleteFailed state when it's deleted after the referenced SecretManagerSecret is deleted.

Resource WorkstationsWorkstationCluster(v1alpha1):

• Added status.resourceConditions field.

• Restructured status.conditions field to be consistent with status.conditions field of any Config Connector kind.

Resource ComputeDisk(v1beta1):

• Added spec.asyncPrimaryDisk.diskRef field.

Resource BigQueryJob(v1beta1):

• Added spec.load.parquetOptions field.

Resource ComputeForwardingRule(v1beta1):

• Added spec.allowPscGlobalAccess field.

• Added spec.sourceIpRanges field.

• Added status.baseForwardingRule field.

Resource CloudBuildTrigger(v1beta1):

• Added spec.build.step.items.allowExitCodes field.

• Added spec.build.step.items.allowFailure field.

• Added spec.gitFileSource.repositoryRef field.

• Added spec.sourceToBuild.repositoryRef field.

Resource AlloyDBBackup(v1alpha1):

• Added spec.encryptionConfig field.

• Added status.encryptionInfo field.

Config Connector version 1.104.0 is now available.

Config Connector CLI tool will now export cluster information for BigTableInstance.

Resources with a reconcile period of 0 will no longer attempt to reconcile when pods are recreated (#795).

Resource IAMWorkforcePoolProvider(v1beta1):

• Added spec.oidc.webSsoConfig field.

Resource ComputeFirewallPolicyRule(v1beta1):

• Added spec.match.destAddressGroups field.
• Added spec.match.destFqdns field.
• Added spec.match.destRegionCodes field.
• Added spec.match.destThreatIntelligences field.
• Added spec.match.srcAddressGroups field.
• Added spec.match.srcFqdns field.
• Added spec.match.srcRegionCodes field.
• Added spec.match.srcThreatIntelligences field.

Config Connector version 1.103.0 is now available.

Fixed set blockOwnerDeletion failures for OwnerReferencesPermissionEnforcement enabled clusters (#797).

Resource ComputeNetwork(v1beta1):

• Added spec.networkFirewallPolicyEnforcementOrder field.

Added support for manual installation in GKE Autopilot.

Resource ArtifactRegistryRepository(v1beta1):

• Added spec.dockerConfig field.

Added 136 v1alpha1 Google Cloud resource CRDs. See Install instructions for more information.

Resource ComputeInstanceTemplate(v1beta1):

• Added status.selfLinkUnique field.

Issue in resource PrivateCACAPool to support setting maxIssuerPathLength field as 0.

Resource ComputeVPNGateway(v1beta1):

• Added spec.stackType field.

Resource BigQueryDataset(v1beta1):

• Added spec.defaultCollation field.
• Added spec.isCaseInsensitive field.

Optimized ratelimiter for IAMPolicyMember controller to make sure new resources get reconciled timely.

Resource ComputeInstance(v1beta1):

• Added spec.scratchDisk.items.size field.

Resource StorageTransferJob(v1beta1):

• Added spec.transferSpec.objectConditions.lastModifiedBefore field.
• Added spec.transferSpec.objectConditions.lastModifiedSince field.

Resource PrivateCACertificateAuthority(v1beta1):

• Added spec.config.x509Config.caOptions.zeroMaxIssuerPathLength field.

Resource ContainerCluster(v1beta1):

• Added spec.ipAllocationPolicy.podCidrOverprovisionConfig field.
• Added spec.ipAllocationPolicy.stackType field.
• Added spec.nodeConfig.advancedMachineFeatures field.
• Added spec.nodeConfig.ephemeralStorageLocalSsdConfig field.
• Added spec.nodeConfig.localNvmeSsdBlockConfig field.

Resource PrivateCACAPool(v1beta1):

• Added spec.issuancePolicy.baselineValues.caOptions.zeroMaxIssuerPathLength field.

Resource ContainerNodePool(v1beta1):

• Added spec.networkConfig.podCidrOverprovisionConfig field.
• Added spec.nodeConfig.advancedMachineFeatures field.
• Added spec.nodeConfig.ephemeralStorageLocalSsdConfig field.
• Added spec.nodeConfig.localNvmeSsdBlockConfig field.

Fixed a bug causing diff detection on reservedIpRange field in RedisInstance.

Added spec.kubeletConfig.podPidsLimit field to ContainerCluster.

Added spec.kubeletConfig.podPidsLimit field to ContainerNodePool.

Added scheduling.maintenanceInterval field to ComputeInstanceTemplate.

Added groupPlacementPolicy.maxDistance field to ComputeResourcePolicy.

Introduced configurable reconciliation interval feature.

Added mode, remoteRepositoryConfig, virtualRepositoryConfig fields to ArtifactRegistryRepository

Added spec.rateLimitOptions.enforceOnKeyConfigs field to ComputeSecurityPolicy.

Added transferSpec.sinkAgentPoolName, transferSpec.sourceAgentPoolName fields to StorageTransferJob.

Config Connector version 1.102.0 is now available.

Added scheduling.maintenanceInterval field to ComputeInstance.

Added support for IAMAccessBoundaryPolicy resource.

Added spec.instanceType field to SQLInstance.

Added deletionPolicy field to ComputeSharedVPCServiceProject.

Added protectConfig field to ContainerCluster.

Added spec.diskEncryptionKey.rsaEncryptedKey field to ComputeDisk.

Added spec.bitbucketServerTriggerConfig, spec.github.enterpriseConfigResourceNameRef fields to CloudBuildTrigger.

Disabled fast dependency reconciliation during resource deletion.

Added spec.externalDataConfiguration.referenceFileSchemaUri field to BigQueryTable.

Added spec.edgeSecurityPolicyRef and spec.localityLbPolicies fields to ComputeBackendService.

Removed GameServicesRealm resource.

Added spec.memberFrom.serviceIdentityRef field to IAMPolicyMember (#722).

Added spec.adaptiveProtectionConfig.autoDeployConfig field to ComputeSecurityPolicy.

Graduated the following resources from alpha to stable: NetworkServicesGateway, NetworkServicesGRPCRoute, NetworkServicesHTTPRoute, NetworkServicesMesh, NetworkServicesTCPRoute, NetworkServicesTLSRoute.

Added spec.bindings.members.memberFrom.serviceIdentityRef field to IAMPartialPolicy (#722).

Added spec.scheduling.maxRunDuration field to ComputeInstance.

spec.settings.diskType is now immutable in SQLInstance.

Adjusted default reconciliation interval for the following resources:

• BigtableInstance: 3600 seconds (1 hour)
• BigtableTable: 3600 seconds (1 hour)
• ServiceUsage: 3600 seconds (1 hour)
• ComputeSslCertificate: 0 seconds (This resource does not support any updates)

Added spec.shareSettings field to ComputeNodeGroup.

Config Connector version 1.101.0 is now available.

Added spec.resourcePolicies and spec.scheduling.maxRunDuration fields to ComputeInstanceTemplate.

Added spec.gitFileSource.githubEnterpriseConfigRef, spec.repositoryEventConfig and spec.sourceToBuild.githubEnterpriseConfigRef fields to CloudBuildTrigger.

Fixed a bug that could cause controllers to become stuck on an outdated CRD version.

Added spec.tcpTimeWaitTimeoutSec field to ComputeRouterNAT (#692).

Added spec.ipConfiguration.enablePrivatePathForGoogleCloudServices field to SQLInstance.

Added support for TagsTagBinding resource. This resource has been auto-generated and is in alpha stability.

Added fields spec.disk.sourceImageEncryptionKey, spec.disk.sourceSnapshotRef, and spec.disk.sourceSnapshotEncryptionKey in ComputeInstanceTemplate.

Added support for ServiceIdentity resource (#728).

Added support for IAMPolicy, IAMPartialPolicy and IAMPolicyMember in DNSManagedZone.

Added field spec.routerApplianceInstanceRef in ComputeRouterPeer.

Added fields spec.settings.deletionProtectionEnabled and status.instanceType in SQLInstance (#748).

Added field spec.imagedEncryptionKey in ComputeImage.

Config Connector version 1.100.0 is now available.

Added support for PubSubLiteReservation resource.

Added support for BigQueryRoutine resource. This resource has been auto-generated and is in alpha stability (#739).

Field spec.settings.sqlServerAuditConfig.bucketRef is no longer required in SQLInstance.

Added field status.generatedId in ComputeBackendService.

Extended event-driven reconciliation support to IAMPolicyMember.

abandon-on-uninstall webhook will now ignore non-Config Connector CRDs (#758).

Added field status.expireTime in ComputeSSLCertificate.

Added fields spec.networkConfig.enablePrivateNodes, spec.nodeConfig.loggingVariant, spec.nodeConfig.resourceLabels, spec.upgradeSettings.blueGreenSettings, spec.upgradeSettings.stategy in ContainerNodePool.

Field spec.ipv6AccessType in ComputeSubnetwork has become mutable.

Added field spec.mesh.controlPlane in GKEHubFeatureMembership.

Added field spec.deletionPolicy in BigtableGCPolicy.

Field spec.labels in CloudIdentityGroup has become mutable.

Supported the regional spec.defaultRouteAction.requestMirrorPolicy.backendServiceRef, spec.defaultRouteAction.weightedBackendServices.backendServiceRef for the regional ComputeURLMap resources.

Added support for DataCatalogPolicyTag resource. This resource has been auto-generated and is in alpha stability.

Added support for TagsTagKey resource. This resource has been auto-generated and is in alpha stability.

Added fields spec.clusterAutoscaling.autoProvisioningDefaults.management, spec.clusterAutoscaling.autoProvisioningDefaults.shieldedInstanceConfig spec.clusterAutoscaling.autoProvisioningDefaults.upgradeSettings, spec.gatewayApiConfig, spec.masterAuthorizedNetworksConfig.gcpPublicCidrsAccessEnabled, spec.nodeConfig.loggingVariant, spec.nodeConfig.resourceLabels, spec.nodePoolDefaults.nodeConfigDefaults.loggingVariant, spec.privateClusterConfig.privateEndpointSubnetworkRef in ContainerCluster.

Added field spec.skipAwaitRollout in OSConfigOSPolicyAssignment.

Config Connector version 1.99.0 is now available.

Removed field spec.authorizationPolicyRef in NetworkServicesGateway (Alpha).

Added fields spec.privateIpAddressRef, spec.redundantInterfaceRef, spec.subnetworkRef in ComputeRouterInterface.

Extended faster reconciliation of resources with dependencies to support IAMPartialPolicy.

Added fields spec.configmanagement.oci and spec.mesh.controlPlane in GKEHubFeatureMembership.

Added fields spec.settings.connectorEnforcement, spec.settings.denyMaintenancePeriod, spec.settings.insightsConfig.queryPlansPerMinute in SQLInstance.

Added field spec.deletionProtection in BigtableTable.

Added field spec.privateVisibilityConfig.gkeClustersRef in DNSManagedZone.

Added field spec.autoclass in StorageBucket.

Added field spec.deletionPolicy in SQLDatabase.

Fixed export error for IAMCustomRole in config-connector CLI with --resource-format=terraform.

Added support for TagsTagValue resource. This resource has been auto-generated and is in alpha stability.

Added field spec.cdnPolicy.cacheKeyPolicy.includeHttpHeaders in ComputeBackendService.

Added fields spec.recaptchaOptionsConfig, spec.rule.headerAction, spec.rule.preconfiguredWafConfig in ComputeSecurityPolicy.

Config Connector version 1.98.0 is now available.

Added spec.build.step.script to CloudBuildTrigger.

Added spec.clusterAutoscaling.autoProvisioningDefaults.diskSize to ContainerCluster.

Added status.member to IAMServiceAccount.

Added mutation support to spec.nodeConfig.tags in ContainerCluster.

Added spec.settings.timeZone to SQLInstance.

Added spec.maxTimeTravelHours to BigQueryDataset.

Fixed spec.datapathProvider in ContainerCluster by making it immutable.

Fixed spec.schemaSettings.encoding in PubSubTopic by making it immutable (#698).

Added spec.sourceDiskRef and status.sourceDiskId to ComputeDisk.

Added spec.rules to ComputeRouterNAT.

Added support for DataCatalogTaxonomy resource. This resource has been auto-generated and is in alpha stability.

Added spec.compressionMode to ComputeBackendBucket.

Added spec.passwordPolicy to SQLUser.

Added spec.load.jsonExtension to BigQueryJob.

Added spec.cloudLoggingConfig to DNSManagedZone.

Config Connector version 1.97.0 is now available.

Added support for DLPJobTrigger resource.

Added spec.managementConfig.fullManagementConfig to ConfigControllerInstance.

Added spec.maintenanceVersion and status.availableMaintenanceVersions to SQLInstance.

Moved SQLUser output-only field sqlServerUserDetails from spec to status.

Added spec.customPlacementConfig to StorageBucket.

Added spec.persistenceConfig to RedisInstance.

Added spec.compressionMode to ComputeBackendService.

Added spec.gcRules to BigtableGCPolicy (Issues #624, #542, #482, #345, #300).

Added spec.config.dataprocMetricConfig, spec.config.gceClusterConfig.confidentialInstanceConfig, spec.config.gceClusterConfig.shieldedInstanceConfig, spec.config.masterConfig.diskConfig.localSsdInterface, spec.config.metastoreConfig.dataprocMetastoreServiceRef, spec.config.secondaryWorkerConfig.diskConfig.localSsdInterface, spec.config.securityConfig, spec.config.workerConfig.diskConfig.localSsdInterface and spec.virtualClusterConfig to DataprocCluster.

Added status.version to SecretManagerSecretVersion.

Added spec.notificationConfig to StorageTransferJob (Issue #303).

Added spec.externalDataConfiguration.avroOptions to BigQueryTable.

Added spec.nodeConfig.guestAccelerator[].gpuSharingConfig to ContainerNodePool.

Added spec.advancedOptionsConfig.jsonCustomConfig to ComputeSecurityPolicy.

Added spec.nodeConfig.guestAccelerator[].gpuSharingConfig and spec.notificationConfig.pubsub.filter to ContainerCluster.

Config Connector version 1.96.0 is now available.

Added costManagementConfig, nodePoolDefaults, serviceExternalIpsConfig to ContainerCluster.

Added storageTarget to BigTableInstance (Issue #729).

Added chainName to ComputeSnapshot.

Added support for DLPInspectTemplate resource.

Added visibleCoreCount to ComputeInstanceTemplate.

Added location and BITBUCKET support to CloudBuildTrigger (Issue #672).

Released new controller unmanaged-detector. Now if there is no Config Connector controller for a resource's namespace, that resource's status will show as "Unmanaged".

Extended faster reconciliation of resources with dependencies to support IAMAuditConfig and IAMPolicy.

Removed labels field from NetworkServicesGateway (alpha), NetworkServicesGRPCRoute (alpha), NetworkServicesHTTPRoute (alpha), NetworkServicesMesh (alpha), and NetworkServicesTCPRoute (alpha).

Fixed issue with DataprocCluster where resource creation was failing with error message Update call failed: error applying desired state: infeasible update: ({true }) would require recreation (Issue #661).

Added forceDelete to MonitoringNotificationChannel.

Added locationPolicy, totalMaxNodeCount, totalMinNodeCount to ContainerNodePool.

Added channelRef and resourceConditions to EventarcTrigger.

Added snapshotProperties.chainName to ComputeResourcePolicies.

Added mesh to GKEHubFeatureMembership.

Added visibleCoreCount to ComputeInstance.

Added certificateMapRef to ComputeTargetSSLProxy.

Config Connector version 1.95.0 is now available.

Added enableServiceLinks: false to all the Pod configurations in Config Connector installation bundle. This is to fix the potential issue standard_init_linux.go:228: exec user process caused: argument list too long in Config Connector Pods.

Added support for DLPDeidentifyTemplate resource.

Removed spec.routers in NetworkServicsGRPCRoute (alpha) and NetworkServicsTCPRoute (alpha).

Removed the validation on spec.cluster.numNodes > 0 in BigtableInstance (Issue #673).

Added spec.memberFrom.sqlInstanceRef field to IAMPolicyMember (Issue #689).

Added spec.bindings[].members[].memberFrom.sqlInstanceRef field to IAMPartialPolicy (Issue #689).

Added spec.nodeConfig.reservationAffinity to ContainerCluster.

Added spec.nodePoolAutoConfig to ContainerCluster.

Added support for major version upgrades to SQLInstance (spec.databaseVersion is now mutable).

In NetworkServicesGateway (alpha), updated spec.authorizationPolicy to spec.authorizationPolicyRef, and updated spec.serverTlsPolicy to spec.serverTlsPolicyRef.

Removed spec.routers and spec.rules.action.originalDestination in NetworkServicsHTTPRoute (alpha).

Added spec.nodeConfig.reservationAffinity to ContainerNodePool.

Config Connector version 1.94.0 is now available.

Extended support for value absent in state-into-spec annotation to most Config Connector resources.

Added spec.placement.managedCluster.config.gceClusterConfig.shieldedInstanceConfig to DataprocWorkflow.

Added spec.lifecycleRule.condition.matchesPrefix and spec.lifecycleRule.condition.matchesSuffix fields to StorageBucket.

Fixed the mutability of spec.settings.collation in SQLInstance, as it is actually immutable.

Added spec.scheduling.instanceTerminationAction field to ComputeInstance.

Added spec.conditions.conditionMonitoringQueryLanguage.evaluationMissingData, and spec.conditions.conditionThreshold.evaluationMissingData fields to MonitoringAlertPolicy.

Added spec.settings.locationPreference.secondaryZone, spec.settings.passwordValidationPolicy, and spec.settings.sqlServerAuditConfig fields to SQLInstance.

Added spec.customerManagedKeyRef field to RedisInstance.

Added spec.binaryAuthorization.evaluationMode field in ContainerCluster.

Added spec.networkRef and spec.subnetworkRef fields to ComputeRegionNetworkEndpointGroup.

Added spec.versionRetentionPeriod field to SpannerDatabase.

Config Connector version 1.93.0 is now available.

Added spec.scheduling.instanceTerminationAction field to ComputeInstanceTemplate.

Config Connector will deprecate GameServicesRealm on November 15, 2022 due to the deprecation of Google Cloud Game Servers on June 30, 2023. This means that Config Connector will stop reconciling GameServicesRealm resources. If you have any questions or require assistance, please contact Google Cloud Support.

Deprecated spec.enableBianryAuthorization field in ContainerCluster.

Added spec.binaryAuthorization, spec.clusterAutoscaling.autoProvisioningDefaults.bootDiskKMSKeyRef, and spec.meshCertificates fields to ContainerCluster.

Added spec.bigqueryConfig field to PubSubSubscription.

Added spec.certificateMapRef field to ComputeTargetHTTPSProxy.

Added spec.cdnPolicy.bypassCacheOnRequestHeaders and spec.cdnPolicy.requestCoalescing fields to ComputeBackendBucket.

Increased webhook timeout to 10s.

Added support for "reconcile resource immediately once its dependency is ready" feature for CloudFunctionsFunction, EventarcTrigger, MonitoringUptimeCheckConfig, ServiceDirectoryEndpoint, and ServiceDirectoryService.

Config Connector version 1.92.0 is now available.

Fixed missing Kind field in Go Client ResourceRef struct.

Added support for "reconcile resource immediately once its dependency is ready" feature for CloudFunctionsFunction, EventarcTrigger, MonitoringUptimeCheckConfig, ServiceDirectoryEndpoint, ServiceDirectoryService

Added support for IAMWorkforcePoolProvider resource.

Fixed all reference docs so that code samples now work when they're copy/pasted.

Fixed issue where if ContainerCluster had the remove-default-node-pool directive set to true and there was a ContainerNodePool associated with it, after deleting the successfully reconciled ContainerNodePool, ContainerCluster would get stuck on the UpdateFailed state.

Added spec.configmanagement.policyController.monitoring and spec.configmanagement.policyController.mutationEnabled fields to GKEHubFeatureMembership.

Added support for the IAMWorkforcePool resource.

Config Connector version 1.91.0 is now available.

Fixed issue where SQLInstance could not reference KMSCryptoKey.

Added support for state-into-spec to StorageBucket.

Added status.pscConnectionId and status.pscConnectionStatus fields to ComputeForwardingRule.

Added support for state-into-spec: absent to MonitoringAlertPolicy.

Added spec.includeBuildLogs field to CloudBuildTrigger.

Added support for "reconcile resource immediately once its dependency is ready" feature for ComputeTargetPool, ComputeNetworkEndpointGroup, NetworkServicesGRPCRoute, NetworkServicesTLSRoute.

Added spec.maxPortsPerVm field to ComputeRouterNats.

Config Connector version 1.90.0 is now available.

Added spec.monitoringConfig.managedPrometheus field to ContainerCluster.

Added spec.sslPolicyRef field to ComputeTargetHTTPSProxy.

Added spec.enableUlaInternalIpv6 and spec.internalIpv6Range fields to ComputeNetwork.

Fixed issue where spec.layer7DdosDefenseConfig field in ComputeSecurityPolicy was not being reflected onto underlying resource.

Added spec.advancedOptionsConfig field to ComputeSecurityPolicy.

Added spec.externalDataConfiguration.connectionId field to BigQueryTable.

Added status.creationTime and status.managedZoneId fields to DNSManagedZones.

Added spec.schemaSettings field to PubSubTopic.

Added spec.egressPolicies.egressTo.externalResources field to AccessContextManagerServicePerimeters,

Added spec.sqlServerUserDetails field to SQLUser.

Added spec.iap.oauth2ClientIdRef field to ComputeBackendService.

Added support for ServiceDirectoryEndpoint resource.

Added spec.cacheKeyPolicy.cdnPolicy.includeNamedCookies field to ComputeBackendService.

Added support for the DLPStoredInfoType resource.

Added spec.cdnPolicy.cacheKeyPolicy field to ComputeBackendBucket.

Added support for PubSubSchema resource.

Config Connector version 1.89.0 is now available.

Fixed bulk-export for MonitoringAlertPolicy.

Config Connector version 1.88.0 is now available.

Added support for ServiceDirectoryNamespace and ServiceDirectoryService resources.

Added fields spec.maintenancePolicy and spec.maintenanceSchedule to MemcacheInstance resource.

Config Connector version 1.87.0 is now available.

Added spec.enableDynamicPortAllocation field to ComputeRouterNAT.

Added spec.gateways field to NetworkServicesTCPRoute.

Added spec.settings.activeDirectoryConfig field to SQLInstance.

Added spec.maintenancePolicy.maintenanceExclusion[].exclusionOptions field to ContainerCluster.

Added spec.pscTargetService field to ComputeRegionNetworkEndpointGroup.

Fixed issue where webhooks were unintentionally returning 500 errors when rejecting immutable field changes.

Added support for ComputeRegionNetworkEndpointGroup resource.

Added spec.serviceDirectoryRegistrations field to ComputeForwardingRule.

Config Connector version 1.86.0 is now available.

Added support for PrivateCACertificate resource.

Added spec.secondaryIpRange field to RedisInstance.

Changed spec.readReplicasMode in RedisInstance from immutable to optional.

Config Connector version 1.85.0 is now available.

Fixed spec.topics in SecretManagerSecret (Issue #655).

Added spec.subsetting field to ComputeBackendService.

Fixed the reference configs for AccessContextManagerServicePerimeter.

Added spec.enableExactlyOnceDelivery field to PubSubSubscription.

Config Connector version 1.84.0 is now available.

Removed spec.gateways field from NetworkServicesTCPRoute (Alpha).

Added spec.rule.redirectOptions field to ComputeSecurityPolicy.

Removed status.terminalCondition.domainMappingReason and status.terminalCondition.internalReason fields from RunService (Alpha).

Added spec.columnLayout.columns.widgets.logsPanel, spec.gridLayout.widgets.logsPanel, spec.mosaicLayout.tiles.widget.logsPanel, and spec.rowLayout.rows.widgets.logsPanel fields to MonitoringMonitorDashboard.

Added spec.approvalConfig field to CloudBuildTrigger.

Deprecated spec.rrdatas field in DNSRecordSet.

Added spec.rrdatasRefs field to DNSRecordSet.

Added cnrm.cloud.google.com/skip-wait-on-job-termination directive to DataflowFlexTemplateJob and DataflowJob.

Reduced reconciliation frequency of ConfigConnector object.

Added spec.addonsConfig.gkeBackupAgentConfig field to ContainerCluster.

Removed spec.template.confidential field from RunService (Alpha).

Renamed spec.template.volumes.cloudSqlInstance.connections to spec.template.volumes.cloudSqlInstance.instances in RunService (Alpha).

Added IAMPolicy and IAMPolicyMember support for AccessContextManagerAccessPolicy.

Added IAMPolicyMember support for BinaryAuthorizationPolicy, CloudFunctionsFunction, DataprocCluster, NetworkSecurityAuthorizationPolicy, NetworkSecurityClientTLSPolicy, NetworkSecurityServerTLSPolicy, and RunService.

Config Connector version 1.83.0 is now available.

Made the spec.resourceRef.apiVersion field in IAMPolicy, IAMPartialPolicy, IAMPolicyMember, IAMAuditConfig optional.

Deprecated spec.networkInterface[].networkIp field in ComputeInstance resource.

Config Connector version 1.82.0 is now available.

Added field spec.networkInterface[].networkIpRef to ComputeInstance resource.

This release contains an issue that may prevent you from successfully deleting namespaces with Config Connector enabled if using Config Connector in namespaced-mode. If you are using namespaced-mode, do not upgrade to version 1.81.0 - please upgrade to 1.82.0 instead.

Added field spec.edgeSecurityPolicy to ComputeBackendBucket resource.

Added field spec.cluster[].autoscalingConfig to BigtableInstance resource.

Fixed the bug introduced in version 1.62.0 that list fields can't be set to empty lists. (Issue #595)

Added field spec.type to ComputeSecurityPolicy resource.

Added support for ApigeeEnvironment resource.

Added field spec.schedule.repeatInterval to StorageTransferJob resource

Config Connector version 1.81.0 is now available.

Config Connector version 1.80.0 is now available.

Added support for NetworkServicesTLSRoute resource.

Added spec.destination.loggingLogBucketRef to LoggingLogSink.

Added support for ApigeeOrganization resource.

Added spec.nodeConfig.gvnic to ContainerCluster.

Added spec.filter, spec.gitFileSource, and spec.sourceToBuild to CloudBuildTrigger.

Config Connector version 1.79.0 is now available.

Added IAMPolicy support for BinaryAuthorizationPolicy, CloudFunctionsFunction, DataprocCluster, NetworkSecurityAuthorizationPolicy, NetworkSecurityClientTLSPolicy, NetworkSecurityServerTLSPolicy, and RunService.

Added spec.mavenConfig to ArtifactRegistryRepository.

Added spec.nodeConfig.gvnic to ContainerNodePool.

Added support for MonitoringMonitoredProject resource.

Config Connector version 1.78.0 is now available.

Fixed issue where users could not switch between the field github.push and the field github.pullRequest in CloudBuildTrigger resources (Issue #357).

Fixed issue where users could not switch between the field singleClusterRouting and the fields multiClusterRoutingUseAny and multiClusterRoutingClusterIds in BigtableAppProfile resources.

Fixed issue where users could not update the policy in ResourceManagerPolicy resources.

Config Connector version 1.77.0 is now available.

Added support for ARM binaries.

Added support for IdentityPlatformConfig resource.

Added support for EventarcTrigger resource.

Added fields spec.maintenancePolicy and spec.maintenanceSchedule into RedisInstance resource.

Added support for BillingBudgetsBudget resource.

Added field spec.rule[].rateLimitOptions into ComputeSecurityPolicy resource.

StorageTransferJob: Fields spec.schedule and spec.transferSpec.awsS3DataSource.awsAccessKey are no longer required.

Added fields spec.transferSpec.awsS3DataSource.roleArn, spec.transferSpec.posixDataSink and spec.transferSpec.posixDataSource into StorageTransferJob resource.

Added field status.selfLink into NetworkServicesGateway,NetworkServicesGRPCRoute, NetworkServicesHTTPRoute, NetworkServicesMesh and NetworkServicesTCPRoute resources.

Config Connector version 1.75.0 is now available.

Added fields spec.addonsConfig.gcpFilestoreCsiDriverConfig and spec.clusterAutoscaling.autoProvisioningDefaults.imageType into ContainerCluster resource.

Added support for LoggingLogView resource.

Fixed topicRef in CloudBuildTrigger (Issue #605).

Added support for PrivateCACertificateAuthority resource

Config Connector version 1.74.0 is now available.

CRD go clients (alpha) have moved to pkg/clients/generated/client/clientset/versioned/ package.

Added support in IAMPartialPolicy and IAMPolicy to cover Organization and BillingAccount resources.

Config Connector version 1.73.0 is now available.

Added support for ComputeFirewallPolicyAssociation resource.

Fixed spec.target.targetHTTPProxyRef issue in ComputeForwardingRule (Issue #596).

Miscellaneous bug fixes.

Config Connector version 1.72.1 is now available.

Added support for CloudFunctionsFunction resource.

Added support for LoggingLogBucket resource.

Added fields spec.alertStrategy and spec.conditions.conditionMatchedLog to MonitoringAlertPolicy resource.

Config Connector version 1.72.0 is now available.

Added support for NetworkConnectivitySpoke resource.

Config Connector version 1.71.0 is now available.

Added spec.build.availableSecrets to CloudBuildTrigger resource.

Added support for LoggingLogMetric resource.

Added spec.identityServiceConfig to ContainerCluster resource.

Added regional support for ComputeTargetHTTP(S)Proxy resource(s).

Added spec.settings.ipConfiguration.allocatedIpRange to SQLInstance resource.

Added spec.readReplicaMode, spec.replicaCount and status.nodes to RedisInstance resources.

Added spec.publicAccessPrevention to StorageBucket resource.

Added spec.nodeConfig.nodeGroupRef and spec.nodeConfig.spot to ContainerCluster and ContainerNodePool resources.

StorageBucket: It now errors out if spec.bucketPolicyOnly (deprecated) and spec.uniformBucketLevelAccess are both present but with different values. We recommend using spec.uniformBucketLevelAccess field only.

ContainerCluster: It now errors out if spec.workloadIdentityConfig.identityNamespace (deprecated) and spec.workloadIdentityConfig.workloadPool are both present but with different values. We recommend using spec.workloadIdentityConfig.workloadPool field only.

Added support for RunService (alpha) resource.

Added fields spec.bfd.minReceiveInterval, spec.bfd.minTransmitInterval, spec.bfd.multiplier, and spec.bfd.sessionInitializationMode to ComputeRouterPeer resource.

ComputeSnapshot: Output-only field status.sourceDiskLink is removed.

SQLInstance: spec.settings.authorizedGaeApplications, spec.settings.crashSafeReplication, spec.settings.replicationType become no-ops fields. We recommend removing these fields in your configuration.

ContainerCluster: The default value for spec.enableShieldedNodes is changed to true.

Added support for MonitoringUptimeCheckConfig resource.

ContainerCluster: Output-only field status.instanceGroupUrls is removed.

config-connector CLI removes the ability to export default ComputeNetwork, ComputeSubnetwork, and ComputeRoute via bulk-export command. Those default network assets contain invalid values in other contexts. Removing them from bulk export to avoid additional manual handling of the exported configuration.

Added field spec.nodeConfig.gcfsConfig (deprecated) to ContainerCluster resource. spec.nodeConfig is a deprecated field that we recommend not using in your configuration.

Config Connector 1.70.0 is now available

Supported referencing Workload Identity principals in IAMPolicyMember. (Issue #583)

Added support for NetworkServicesGateway (alpha), NetworkServicesMesh (alpha), NetworkServicesGRPCRoute (alpha), NetworkServicesHTTPRoute (alpha), and NetworkServicesTCPRoute (alpha) resources.

ComputeInstance and ComputeInstanceTemplate: Configuring field spec.serviceAccount.scopes with value trace-append or trace-ro is no longer available. Use trace instead.

Added field spec.networkInterface.queueCount to ComputeInstance and ComputeInstanceTemplate resources.

Added field spec.messageRetentionDuration to PubSubTopic resource.

Added fields spec.nodeConfig.gcfsConfig and spec.managedInstanceGroupUrls to ContainerNodePool resource.

PubSubSubscription: Output-only field status.path is removed.

Added support for CloudIdentityMembership resource

Added support for IAMWorkloadIdentityPool resource

Add billgProject flag in ConfigConnectorContext to specify a quota project to send along with user_project_override header, used for all requests sent from Config Connector. If set on a resource that supports sending the resource project, this value will supersede the resource project. This field can only be set if requestProjectPolicy takes BILLING_PROJECT value

Added support for IAMWorkloadIdentityPoolProvider resource

Added support for VPCAccessConnector resource

Rollout support for state-into-spec: absent to ContainerCluster resource (Issue #576)

Config Connector 1.69.0 is now available

Added support for PrivateCACAPool resource

Fixed the issues in ContainerCluster with creating autopilot clusters

Fixed the issues in config-connector export that the exported YAML now include zero primitives to match the Google Cloud resource live state

Added support for ComputePacketMirroring resource

Config Connector 1.68.0 is now available.

Added support for MonitoringServiceLevelObjective resource.

Added support for RecaptchaEnterpriseKey resource.

Added support for OSConfigOSPolicyAssignment resource.

Added support for MonitoringService resource.

Added support for resourceID field for SecretManagerSecretVersion resource.

Added support for regional ComputeSSLCertificate resource.

Added support for NetworkConnectivityHub resource.

Config Connector 1.67.0 is now available.

Fixed the issues in config-connector bulk-export and the exported IAMCustomRole resources can now be imported into Config Connector.

Added support for ConfigControllerInstance (Alpha) resource.

Added support for PrivateCACertificateTemplate resource.

Added fields spec.nodeConfig.guestAccelerator[].gpuPartitionSize and spec.workloadIdentityConfig.workloadPool to ContainerCluster resource.

Added field spec.nodeConfig.guestAccelerator[].gpuPartitionSize to ContainerNodePool resource.

Fixed the issue that DataflowJob was repeatedly updating if spec.enableStreamingEngine was set to true.

Deprecated spec.workloadIdentityConfig.identityNamespace (field is also no longer required), spec.masterAuth and status.instanceGroupUrls in ContainerCluster resource.

Config Connector 1.66.0 is now available.

Added support for memberFrom in IAMPartialPolicy.

Miscellaneous bug fixes and improvements.

Added support for the ComputeServiceAttachment resource.

Config Connector 1.65.0 is now available.

config-connector command cli print-resources now includes a column listing whether it supports of related IAM resources.

config-connector command cli now correctly labels supported bulk-export resources.

All config-connector containers now emit logging to stdout rather than stderr.

Added ipv6AccessType, stackType, externalIpv6Prefix, ipv6CidrRange fields to ComputeSubnetwork.

Added ipv6AccessConfig, ipv6AccessType and stackType fields to ComputeInstance.

Added connectionTrackingPolicy field to ComputeBackendService.

Added nodeConfig.workloadMetadataConfig.mode; deprecated nodeConfig.workloadMetadataConfig.nodeMetadata in ContainerCluster.

Added gcsDataSink.path and gcsDataSource.path fields to StorageTransferJob.

In DNSRecordSet, ttl field is no longer required.

Handle the lifecycle of ConfigConnectorContext objects in a separate controller for better isolation and scalability.

Added importOnly field to KMSCryptoKey.

Added support for ComputeFirewallPolicyRule resource.

Added monitoringConfig, dnsConfig and loggingConfig fields to ContainerCluster.

Added serviceAccountRef field to CloudBuildTrigger.

Moved version field to status in DataprocWorkflowTemplate.

Added disabled field to IAMServiceAccount.

Added ipv6AccessConfig, ipv6AccessType and stackType fields to ComputeInstanceTemplate.

Config Connector 1.64.0 is now available.

Added support for FilestoreBackup and FilestoreInstance resources.

Fixed the issue of changing BigTableInstance node size.

Added spec.destroyScheduledDuration to KMSCryptoKey.

ComputeRouterPeer: ipAddress is no longer a read-only field, and can be set with the spec.ipAddress field.

ComputeDisk: spec.interface has been deprecated. The value of spec.interface is no longer used by the API, so all validation has been removed and values will not be populated. You should remove this field from your configuration.

Added spec.configSync.git.gcpServiceAccountRef to GKEHubFeatureMembership.

Config Connector 1.63.0 is now available.

Config Connector 1.62.0 is now available.

Miscelleanous bug fixes.

Added Age and Healthy columns for the kubectl get tabular outputs of ConfigConnector and ConfigConnectorContext resources.

Added the securitySettings field to ComputeBackendService

Fixed a bug in BigqueryJob that generates unexpected diff for 'kms_key_name'

Config Connector 1.61.0 is now available

Added jitter to resource reconciliation reenqueue period to smooth out the traffic pattern

Added support for ComputeFirewallPolicy resource.

Config Connector 1.60.0 is now available.

Fixed the error when deleting the ConfigConnectorContext object. (Issue #523)

Fixed the issue where ComputeInstance fails reconciliation if metadata is set outside KCC (Issue #524)

Config Connector 1.59.0 is now available

Added processingUnits field into SpannerInstance

config-connector CLI supports IAMPartialPolicy as an IAM output format

Added networkConfig field into ContainerNodePool

Miscellaneous bug fixes.

Config Connector 1.58.1 is now available.

Config Connector 1.58.0 is now available.

Added a list of resources which have service-generated resource IDs.

Added support for MonitoringMetricDescriptor resource.

CloudBuildTrigger: added webhookConfig and pubsubConfig options for triggers.

Added limited support for the cnrm.cloud.google.com/state-into-spec annotation, which allows merge and absent values to merge a resource's state into the spec field or not, respectively.

Currently only supported for BigQueryDataset.

Config Connector 1.57.0 is now available.

Added advancedMachineFeatures to ComputeInstance.

Added support for GKEHubFeatureMembership resource.

Reverted DNSRecordSetto an older implementation (from v1.50.0) due to an issue that broke users' ability to modify rrdatas. Note that this also means that rrdatas and ttl are required fields again.

Added spec.projectRef to ServiceUsageService.

Added the following output-only fields:

• BigQueryJob: query.destinationEncryptionConfiguration.kmsKeyVersion, load.destinationEncryptionConfiguration.kmsKeyVersion, and copy.destinationEncryptionConfiguration.kmsKeyVersion.
• BigQueryTable: encryptionConfiguration.kmsKeyVersion.

Fixed bug that was causing CloudIdentityGroup to go through infinite updates.

Config Connector 1.56.0 is now available.

Added expire, rotation, topics, and ttl fields to SecretManagerSecret (Issue #471).

Added cluster.kmsKeyRef field to BigtableInstance.

Aggregated the cnrm-admin ClusterRole to the admin and edit ClusterRoles, and aggregated the cnrm-viewer ClusterRole to view ClusterRole. See Aggregated ClusterRoles for details (Issue #486).

Added support for ComputeInstanceGroupManager resource (Issue #314).

Added support for BinaryAuthorizationPolicy resource.

Added timestamp to log messages.

Reduced max retry interval on failure to 120 seconds for fast reconciliation

Added new fields:

• ComputeInstance: networkPerformanceConfig.totalEgressBandwidthTier field added.
• ComputeInstanceTemplate: advancedMachineFeatures field added.
• ComputeInstanceTemplate: confidentialInstanceConfig.enableConfidentialCompute field is now immutable.
• ComputeInstanceTemplate: networkPerformanceConfig.totalEgressBandwidthTier field added.
• ComputeSecurityPolicy: adaptiveProtectionConfig field added.
• RedisInstance: redisVersion field no longer immutable.

Use IAMResourceRef type in IAMPartialPolicySpec (Issue #495)

Config Connector 1.55.0 is now available

ContainerCluster supports User Project Override (Issue #492)

Added NetworkServicesEndpointPolicy support

ComputeVPNGateway: vpnInterfaces field moved from status to spec and now includes interconnectAttachmentRef field.

Added support for ingress and egress policies in AccessContextManagerServicePerimeter

Config Connector 1.54.0 is now available

Added new fields:

• ComputeAddress: networkRef
• ComputeDisk: provisionedIops
• ComputeInstance: reservationAffinity
• ComputeInstanceTemplate: reservationAffinity
• ComputeInterconnectedAttachment: encryption and ipsecInternalAddresses
• ComputeResourcePolicy: description and instanceSchedulePolicy
• ComputeRouterInterface: encryptedInterconnectRouter
• SQLInstance: diskAutoresizeLimit
• StorageTransferJob: transferSpec.azureBlobStorageDataSource

ComputeAddress: purpose field now additionally accepts IPSEC_INTERCONNECT.

SQLInstance: databaseVersion field now additionally accepts POSTGRES_10, POSTGRES_12, and POSTGRES_13.

The following fields are no longer immutable:

• CloudIdentityGroup: initialGroupConfig
• DataflowFlexTemplateJob: containerSpecGcsPath and parameters

Added support for the following resources:

• MonitoringDashboard
• GKEHubFeature
• IAMPartialPolicy
• NetworkSecurityAuthorizationPolicy
• BinaryAuthorizationAttestor

Config Connector 1.53.0 is now available

Change cnrm-system containers to use HTTP probes for readiness instead of command probes

Added support for NetworkSecurityServerTLSPolicy

Added support for strong hierarchal references to several resources:

• Add spec.projectRef to DataprocAutoScalingPolicy
• Add spec.projectRef to DataprocCluster
• Add spec.projectRef to DataprocWorkflowTemplate
• Add spec.projectRef to MonitoringGroup

Added support for NetworkSecurityClientTLSPolicy

Config Connector 1.52.0 is now available.

IAMServiceAccount: added support for resourceID.

Added support for ComputeURLMap, DataFusionInstance, LoggingLogExclusion.

spec.preservedUnknownFields is set to false for all CRDs, ensuring consistent behavior as the flag is set from true to false across Kubernetes versions.

Miscellaneous bug fixes.

Config Connector 1.51.2 is now available.

Config Connector 1.51.1 is now available

Miscellaneous bug fixes.

Added field spec.initialGroupConfig to CloudIdentityGroup

Added field spec.initialSize to ComputeNodeGroup

Added field spec.externalDataConfiguration.hivePartitioningOptions.requirePartitionFilter to BigQueryTable

Added field spec.replication.userManaged.replicas[].customerManagedEncryption to SecretManagerSecret

Added field spec.basic.conditions[].devicePolicy.osConstraints[].requireVerifiedChromeOs to AccessContextManagerAccessLevel

Added field spec.encryptionConfig to SpannerDatabase

Added field spec.maintenanceWindow to ComputeNodeGroup

Config Connector 1.51.0 is now available

Config Connector version 1.50.0 is now available.

Fixed the issue that Storage resources couldn't be deleted if the referenced StorageBucket was deleted first. (Issue #463)

Resource CRDs are now using apiextensions.k8s.io/v1. The minimum required Kubernetes version for using Config Connector v1.50.0 and above is Kubernetes 1.16. This change is in preparation for the removal of apiextensions.k8s.io/v1beta1 in Kubernetes 1.22.

Fixed the issue that Project creation failed if spec.resourceID was set. (Issue #462)

Fixed the IAM resource references in go-client. (Issue #413)

Miscellaneous bug fixes.

Config Connector version 1.49.1 is now available.

Hierarchical reference field is optional for BigQueryDataset, ComputeDisk, Folder, and Project (Fixes a follow-up issue in #349).

Config Connector version 1.49.0 is now available.

Added go-clients for GKEHubMembership and CloudIdentityGroup

ComputeDisk added support for projectRef

Config Connector version 1.48.0 is now available.

Added support CloudIdentityGroup and GKEHubMembership

Config Connector version 1.47.0 is now available.

Fixed the issue of acquiring ComputeBackendService with iap configuration (GitHub #304)

Added resourceID support for Project resource

Config Connector version 1.46.0 is now available.

ContainerCluster supports enableAutopilot, enableL4IlbSubsetting, and privateIpv6GoogleAccess.

ContainerNodePool supports disabling autoscaling by setting min and max node counts to 0 (fixes GitHub issue #437)

Go Client now uses a pointer type or allows for a built-in nil value for spec fields that are optional. (fixes GitHub issue #426)

SecretManagerSecretVersion now requires the secretData field.

BigQueryDataset add support for projectRef

cnrm-resource-stats-recorder container now binds to hostPort 48797 rather than 8888 (fixes GitHub issue #449)

Added observedGeneration field to status for resources, enabling compatibility with kstatus (fixes GitHub issue #410]{:.external})

Added proxyBind field to ComputeTargetHTTPProxy, ComputeTargeHTTPSProxy, and ComputeTargetTCPProxy.

Updated the structs' name of any field FooBar to be KindFooBar in Go Client resources. This ensures that the struct names are unique within a Go package.

Added support for OSConfigGuestPolicy, IdentityPlatformTenant, IdentityPlatformOAuthIDPConfig and IdentityPlatformTenantOauthIDPConfig.

Config Connector version 1.45.0 is now available.

Supported a viewer cluster role so that resources can be referenced cross namespaces in namespaced mode. (Issue #407)

Fixed issue where folderRef/organizationRef could not be defaulted from folder-id/organization-id annotations when creating Project/Folder resources with server-side apply. (More details can be found here).

Fixed the ListMeta type in Go Client (Issue #422).

Added enableStreamingEngine field to DataflowJob.

Deprecated nicType field in ComputeInstanceTemplate.

Added settings.backupConfiguration.backupRetentionSettings and settings.backupConfiguration.transactionLogRetentionDays fields to SQLInstance.

Added nodeConfig.ephemeralStorageConfig field to ContainerCluster and ContainerNodePool.

Config Connector version 1.44.0 is now available.

Fixed incorrect file extension for Terraform files output by the config-connector CLI.

Made materializedView.query field in BigQueryTable immutable.

Added support for the ContainerAnalysisNote resource (no config-connector CLI support)

Added mtu field to ComputeInterconnectAttachment.

Added support for acquisitions of Folder using displayName and folderRef/organizationRef.

config-connector CLI now supports a flag to filter out deleted IAM members

Added support for IAPBrand (no config-connector CLI support)

Conflict Prevention is now turned off by default. The current implementation results in the Ready condition destabilizing despite the resource reflecting user-desired state.

Work is enqueued to improve this behavior, but the functionality is turned off for new resources in the interim.

Webhook certificates that do not contain a SAN are now re-created on upgrade of the Config Connector operator.

Added support for folderRef and organizationRef in Project and Folder.

Config Connector version 1.43.0 is now available

Added support for IAPIdentityAwareProxyClient (no config-connector CLI support)

Ensure that CLI will not terminate on particular problematic resources when on-error is set with ignore or continue

Added operation field into ContainerNodePool

Increase resource limits of webhook, recorder and deletiondefender workloads

On upgrade, ensure that your cluster has sufficient CPU/Memory to allocate if you have seen Pod Unschedulable errors

Config Connector version 1.42.0 is now available.

Miscellaneous bug fixes

Config Connector version 1.41.0 is now available.

Updated the format of the version tag to v0.0.0 so that Config Connector v1.41.0 and above can be fetched as a Go module. (Issue #408)

Added targetGRPCProxyRef field in ComputeForwardingRule.

Added insightsConfig field in SQLInstance.

Added transitEncryptionMode field in RedisInstance. Also added serverCaCerts to the status of RedisInstance.

Config Connector version 1.40.0 is now available

New fields for ComputeInstanceTemplate: nicType and resourcePolicies

Added support for DataprocWorkflowTemplate (no config-connector CLI support, expected Q2)

New status field for BigQueryJob: status

Added support for DataprocAutoscalingPolicy (no config-connector CLI support, expected Q2)

New field for ComputeInstance: nicType

Added support for MemcacheInstance

Added support for DataprocCluster (no config-connector CLI support, expected Q2)

Go client is no longer nested under generated folder.

Config Connector version 1.39.0 is now available

Added support for CloudSchedulerJob resource

Alpha release of Go types and clients for Config Connector resources

Fixed issue with ArtifactRegistryRepository always failing to update

Reverted webhook port to 443 to alleviate forwarding rule issue on GKE private clusters

Fixed issue with aggressive retrying of failed updates leading to exhausting quota

Miscellaneous bug fixes

Config Connector version 1.38.1 is now available

Added resourceID support to: ContainerCluster, ContainerNodePool, SourceRepoRepository and AccessContextManager resources

config-connector bulk-export now operates on LoggingLogSink resources

Config Connector version 1.38.0 is now available

Increased CPU and Memory limit for ConfigConnector Operator

Config Connector version 1.37.0 is now available.

Added resourceID support for ArtifactRegistryRepository, Bigtable resources, DataflowJob, DNS resources, Monitoring resources, RedisInstance, ResourceManagerLien, SecretManagerSecret, Spanner resources, StorageTransferJob.

Added a column Status Age showing the last transition time for the value in Status, and added the column Age back to the default output of kubectl get for all Config Connector resources. Improved the value at Status and Ready columns to match against the condition name.

Fixed the issue with the legacy Common Name field on x509 certificate. Config Connector should be working on clusters of K8s 1.19+. (Issue #335)

Added a column 'Ready' showing the value of the .status.conditions[0] (the ready condition), and associated Status to the default output of kubectl get for all Config Connector resources.

Added a new sub-command to the CLI, config-connector print-resources which shows all config connector resources and their associated level of export and bulk-export support.

Reduce the memory usage of deletiondefender and controller-manager in high-scale scenarios (1000+ resources under management).

Added resourceID support to the Compute resources.

Added support for referencing an organization to IAMCustomRole.

Config Connector version 1.36.0 is now available

Added resourceID support for: SQL resources, Pub/Sub resources, LoggingLogSink, StorageBucket, KMS resources, IAMCustomRole.

Config Connector version 1.35.0 is now available.

Added support for the MonitoringGroup resource.

Allow for IAMPolicy, IAMPolicyMember, and IAMAuditConfig to reference resources in other namespaces.

Added support for UpdateFailed, DeleteFailed, DependencyNotFound, and DependencyNotReady events to IAMPolicy, IAMPoicyMember, IAMAuditConfig.

Config Connector version 1.34.0 is now available.

Added support for IAM Member References. This allows users to create an IAMPolicyMember that references another resource as the IAM member (e.g. IAMServiceAccount, LoggingLogSink). For more information, see the memberFrom field in the IAMPolicyMember reference documentation. Support for IAM Member References is added only to IAMPolicyMember, not IAMPolicy.

Added cacheMode, clientTtl, defaultTtl, maxTtl, negativeCaching, negativeCachingPolicy, serveWhileStale, and customResponseHeaders fields to ComputeBackendBucket.

Added support for the GameServicesRealm resource.

Added IAM support for ComputeDisk.

Allow for Project and Folder resources to be migrated across folders and organizations by updating the folder-id/organization-id annotation. Only folder-to-folder or organization-to-organization migrations are allowed; folder-to-organization migrations or vice versa are not yet supported.

Added customTimeBefore, daysSinceCustomTime, daysSinceNoncurrentTime, and noncurrentTimeBefore fields to StorageBucket.

Added support for the ComputeProjectMetadata resource

Added resourceID field to ServiceUsageService and StorageNotification

Added computeResponseHeaders field to ComputeBackendService

Added IAM support to BigtableTable

Added description and disabled fields to LoggingLogSink

DataflowJobs can now be acquired via name

Config Connector version 1.33.0 is now available.

Added maintenancePolicy.maintenanceExclusion field to ContainerCluster

Fixed the bug that the Bigtable Garbage Collection Policy can't be created via the Config Connector BigQueryGCPolicy resource. (Issue #300)

Added "ORC" as a new available value to the CRD description of externalDataConfiguration.sourceFormat field in BigQueryTable.

Config Connector version 1.32.0 is now available.

Added the customResponseHeaders field to ComputeBackendService.

Added the resourceID field to Folder, BigQueryTable, BigQueryJob, and BigQueryDataset. (Issue #147 and #128)

Added the maintenancePolicy.maintenanceExclusion field to ContainerCluster.

Added the description and disabled fields to LoggingLogSink.

Miscellaneous fixes and improvements

Config Connector version 1.31.1 is now available

Fixed issue where IAMPolicyMember and IAMPolicy resources cannot be deleted if an invalid configuration is applied (such as referencing a non-existent resource)

Config Connector version 1.31.0 is now available

Fixed issue where notificationConfig.pubsub.topicRef was not usable

Added support for the ResourceManagerLien resource

Added support for the ComputeTargetGRPCProxy resource

Config Connector version 1.30.0 is now available.

Added maintenancePolicy field to ComputeNodeGroup.

Added support for the MonitoringAlertPolicy resource.

Added more field descriptions.

Added mtu field to ComputeNetwork.

Fixed bug where DataflowJob would fail to create if zone is unspecified even if region is specified.

Added privateIpv6GoogleAccess field to ComputeSubnetwork.

Added "Immutable." to CRD descriptions for immutable fields in IAMPolicy, IAMPolicyMember, IAMAuditConfig.

Added confidentialNodes field to ContainerCluster.

Fixed bug in operator where ConfigConnector was not being re-enqueued for reconciliation when there is an error during reconciliation.

Added skipInitialVersionCreation field to KMSCryptoKey.

Added interface field to ComputeDisk.

Added authEnabled field to RedisInstance.

Added exclusions field to LoggingLogSink.

Config Connector version 1.29.0 is now available.

Field descriptions now document immutability.

DataflowJob labels are now mutable.

ConfigConnector version 1.28.0 released

Add spec.requestProjectPolicy field to ConfigConnectorContext CRD

Added support for externally referencing billing account and organizations in IAMPolicyMember

Added LoggingLogSink resource for creating log sinks at project, folder, and organization scopes

Added ResourceManagerPolicy resource for setting organization policy at project, folder, and organization scopes

Fixes "413 Request Entity Too Large" seen across multiple resource types

Adds support for MonitoringNotificationChannel

Add support for the AccessContextManagerServicePerimeter resource

Support export sub-command in the config-connector CLI

Add support for Folder-level IAM Audit Configs

Fix deadLetterTopicRef in the PubSubSubscription resource (Issue #281)

Add the artifacts and options fields to CloudBuildTrigger

Add logic to auto-trigger server-side apply metadata on resources on K8s clusters with server-side apply enabled (i.e. K8s 1.16+)

Add the auditConfigs field to IAMPolicy

Fix issue where kubectl get gcp did not include IAMPolicy, IAMPolicyMember, and IAMAuditConfig resources (Issue #286)

Add the transformNameMapping field to DataflowJob

Add support for the DataflowFlexTemplateJob resource

Add support for the GRPC protocol for ComputeBackendService

Add the loadBalancerType, datapathProvider, and notificationConfig fields to ContainerCluster

Fixed an issue where an IAMPolicy cannot be deleted when the externally referenced resource does not exist.

Fixed an infinite diff condition on spec.minMasterVersion.

Added Cloud IAM support for ComputeImage.

BigtableInstance: numNodes on resources is now optional. You can then programmatically scale your Bigtable instances. You cannot add the numNodes field after creating a BigtableInstance.

For production instances where the numNodes will be managed by Config Connector, this field is required with a minimum of 1. For a development instance or for an existing instance where the numNodes is managed outside of Config Connector, this field must be left unset.

Support referencing org-level IAM custom roles for IAMPolicy/IAMPolicyMember

Increase support for cross-project references

Add support for configuring Bigtable garbage collection policies with the BigtableGCPolicy resource

Fix issue where Deletion Defender would sometimes panic during uninstallation of Config Connector, preventing uninstallation to complete.

Fixes issue where SQLUser would constantly update despite there being no changes.

Performance improvements.

The Config Connector GKE Add-on is launched to GA. Users can now enable the GKE Add-on on cluster creation with the gcloud CLI or on the Cloud Console.

Add support for BigtableAppProfile

Fix a bug where a CRD would be marked as uninstalling on a dryrun delete

Added support for BigtableTable

Changes DataflowJob to allow for spec.parameters and spec.ipConfiguration to be updateable

Fixes issue that was causing ContainerNodePool and SQLDatabase to display UpdateFailed due to the referenced ContainerCluster or SQLDatabase not being ready

Add support for ArtifactRegistryRepository

Fixes issue preventing the creation of BigQuery resources that read from Google Drive files due to insufficient OAuth 2.0 scopes

Fixes issue causing SourceRepoRepository to constantly update even when there were no changes

bug fixes and performance improvements

Add support for allowing fields not specified by the user to be externally-managed (i.e. changeable outside of Config Connector). This feature can be enabled for a resource by enabling K8s server-side apply for the resource, which will be the default for all K8s resources starting in K8s 1.18. More detailed docs about the feature coming soon.

Fix OOM issue for the cnrm-resource-stats-recorder pod (Issue #239).

Add support for projectViewer prefix for members in IAMPolicy and IAMPolicyMember (Issue #234).

Fix ContainerCluster validation issue (Issue #242).

Operator improvement: add support for cluster-mode set-ups, which allows users to use one Google Service Account for all namespaces in their cluster. This is very similar to the traditional "Workload Identity" installation set-up.

Reduce spec.revisionHistoryLimit for the cnrm-stats-recorder and cnrm-webhook-manager Deployments from 10 (the default) to 1.

Added support for SecretManagerSecret

Config Connector now supports --server-dry-run for resource CRDs.

Deprecate BigtableInstance's spec.deletionProtection field.

Fix a bug for the BigtableInstance resource that causes constant reconciliation.

Add an option, iam-format, to config-connector to control IAM output, options are policy, policymember, or none.

ComputeForwardingRule's target field now supports referencing a ComputeTargetSSLProxy and ComputeTargetTCPProxy.

DataFlowJob's serviceAccountEmail, network, subnetwork, machineType, and ipConfiguration fields now support updates.

Fix an issue where config-connector would error on a Project resource.

You can use config-connector tool to export Google Cloud resources into Config Connector: documentation

Bug fixes

• Added ability to update streaming DataflowJobs by updating its spec (e.g. spec.templateGcsPath). Note that not all fields can be updated, and batch DataflowJobs don't support updates.
• Added IAMPolicy to the output of config-connector

Miscellaneous bug fixes and improvements

Fixed support for autoscaling and manually resizing node pools with ContainerNodePool

Added support for SQLSSLCert

Supported acquisition of backends added to Compute Backend Services out-of-band of Config Connector

Added support for BigQueryJob resource

Improving handling of scenarios when version field on ContainerNodePool is updated externally

Bug fixes and reliability improvements

fix ContainerNodePool version upgrade scenario

increase the cpu/memory request for webhook and recorder

Miscellaneous bug fixes and improvement

Reduced memory requirements for deletion defender, recorder, and webhook. Reduced cpu requirements for recorder and webhook Increased CPU for the manager controller from 100m to 200m.

Fixes for the examples for the following resources: CloudBuildTrigger, AccessContextManager, ComputeDisk, and ComputeSubNetwork

Ensure the webhook process does not signal it is ready until it is serving HTTP traffic

Miscellaneous bug fixes and improvements

Added readiness probes to Config Connector pods

miscellaneous bug fixes and improvements

Add the CloudBuildTrigger resource

Add the SourceRepoRepository resource

Fixed the ComputeInstance idempotency issue

Add support for structured metadata list for ComputeInstance and ComputeInstanceTemplate in the form of a spec.metadata field.

Add "Deletion Defender" workload -- a pod whose job is to ensure that only resources meant to trigger a delete on the underlying API do so. If this workload goes down for whatever reason, the controller is prevented from performing deletions, thus protecting against accidental deletions in the case of cascading deletions prompted by uninstalling CRDs.

Bumped memory request and limit for the manager pod as resource usage has gone up and the original limit of 256 Mi was found to not be sufficient for large customers

Changed admission webhooks to return non-200 error codes when denying admission

Fixed label update issue on ContainerCluster (https://github.com/GoogleCloudPlatform/k8s-config-connector/issues/110)

miscellaneous bug fixes and improvements

ComputeHealthCheck's location field now supports supplying a region

Added a version annotation to the Config Connector manifests

Fixed an issue with deleting StorageBucketAccessControl when the ServiceAccount did not exist: https://github.com/GoogleCloudPlatform/k8s-config-connector/issues/39

With the exception of role-bindings, moved all system components for namespaced mode into the cnrm-system, note: you must completely uninstall and reinstall to upgrade namespaced mode completely for this release.

Added support for DataflowJob resource

Added support for ComputeNetworkEndpointGroup resource

Added support for DNSPolicy resource

Added support for ComputeResourcePolicy resource

Config Connector has reached General Availability (GA).

Config Connector now supports configuring Google Cloud resources with sensitive data in GKE Secrets.

Config connector now supports authenticating to multiple Google Service Accounts using different Kubernetes Service accounts in your Config Connector cluster using Namespaced mode.

Some Config Connector resources now support directives, which allow Config Connector to take additional actions beyond creating or deleting resources. For more information, see Resources

Added support for DNSRecordSet, Project and ServiceUsage resources

Improved initial Prometheus metrics

Added external resource reference support for IAMPolicy and IAMPolicyMember

No longer run system components as root

Add a specific ResourceReference structure to IAMPolicy and IAMPolicyMember

Add initial support for exporting prometheus metrics

Add support for ComputeNodeTemplate

Added the external field to support the external resource references

Added support for ComputeTargetTCPProxy

Added support for SpannerDatabase

Added support for ServiceNetworkingConnection and ComputeTargetHTTPSProxy

Added support for ComputeInterconnectAttachment, ComputeSSLProxy, ComputeTargetSSLProxy, (Regional)ComputeDisk

Added support for FirestoreIndex, ComputeRouterInterface, ComputeRoute, ComputeRouterPeer

New resources supported: IAMPolicyMember, BigQueryTable, ComputeVPNTunnel, ComputeImage, ComputeSnapshot, ComputeBackendBucket, ComputeDisk, ComputeSSLCertificate, ComputeHTTPHealthCheck, ComputeRouterNAT, ComputeExternalVPNGateway, ComputeRouter, ComputeVPNTunnel, DNSManagedZone, StorageNotification

Breaking namespace changes for the following resources: - GlobalComputeAddress: v1alpha2->v2apha3 - ComputeNetwork: v1alpha2->v1alpha3 - ComputeSubnetwork: v1alpha2->v1alpha3 - ComputeBackendService: v1alpha2->v1alpha3 - ComputeHealthCheck: v1alpha2->v1alpha3 - ComputeFirewall: v1alpha2->v1alpha3

Added new resources and samples for BigQueryTable, ComputeExternalVPNGateway

Bump compute api group version to v1alpha2

• rename ComputeGlobalForwardingRule to ComputeForwardingRule
• add required location field to the following existing resources: ComputeAddress, ComputeBackendService, ComputeForwardingRule, ComputeHealthCheck, ComputeTargetHttpProxy, ComputeURLMap
• ComputeAddress CRD now supports both global and regional compute addresses

Add the following new resources with samples: ComputeNetworkPeering, ComputeTargetVPNGateway, ComputeVpnGateway, IAMCustomRole, ComputeHTTPSHealthCheck, ComputeSharedVPCHostProject, ComputeRouter

New gcp category in CRDs, so you can view Config Connector resources via kubectl get gcp

Config Connector now supports GKE workload identity

Added the ContainerNodePool resource

Adding ComputeGlobalForwardingRule resource and examples

Fixed an issue with creating service account keys across projects.

Update samples for version 0.1.2

Added ComputeTargetHTTPProxy, ComputeBackendService, ComputeFirewall, ComputeUrlMap resources

Samples updates for newly added resources, as well bigtablecluster, bigtableinstance, iampolicy

Config Connector v0.1.1 is now available in Beta.