Reconciliation Strategy

Config Connector is eventually consistent

With declarative configuration, you define the desired state of the system. The system then works constantly to remain as close as possible to this state. See Declarative management of Kubernetes objects using configuration files for more information.

With Config Connector, you can create and update resources in any order, regardless of dependency relationships. GKE moves your declared configuration towards eventual consistency with the desired state.

For example, if you create a PubSubSubscription before the corresponding PubSubTopic, Config Connector waits until the topic is created before creating the associated subscription.

The duration your Config Connector installation remains inconsistent depends on the number and types of resources it manages. Changes to a GKE cluster are typically executed in seconds. However, the time to create Google Cloud resources can vary based upon the type of resource. For example, a single PubSubTopic takes seconds to create. Google Cloud resources do not reach consistency until they are created. For example, when creating an SQLInstance and an SQLDatabase, the system is inconsistent for a period of minutes while the database is created.

GKE and Config Connector reconcile each resource with every update or every 10 minutes. When there is an error in reconciling, Config Connector retries every 30 seconds with exponential backoff. You can view any errors in the Events of a given resource.

Mutable but unreadable fields are actuated on change only

Some APIs expose fields that are not readable, but are mutable (e.g. the password for a SQL user). Due to the inability to see if these fields have been modified, mutable but unreadable fields will be updated only when the custom resource is modified.

Resources will not be recreated when modifying immutable fields

Some fields in a resource are immutable, and can't be reconciled without deleting, then re-creating the target resource.

In these situations, Config Connector will emit an "UpdatedFailed" Kubernetes event for the resource rather than perform this re-creation. The user must then delete and re-create the resource.

Example event:

Warning  UpdateFailed  37m (x643 over 15d)    computeinstance-controller  Update call failed: the desired mutation for the following field(s) is invalid: [bootDisk.0.InitializeParams.0.Image networkInterface.0.NetworkIp]