Config Connector release notes

This page documents production updates to Config Connector. Check this page for announcements about new or updated features, bug fixes, known issues, and deprecated functionality.

You can see the latest product updates for all of Google Cloud on the Google Cloud page, browse and filter all release notes in the Google Cloud console, or you can programmatically access release notes in BigQuery.

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly:

May 19, 2022

Config Connector version 1.85.0 is now available.

Fixed spec.topics in SecretManagerSecret (Issue #655).

Added support for PrivateCACertificate resource.

Fixed the reference configs for AccessContextManagerServicePerimeter.

Added spec.subsetting field to ComputeBackendService.

Added spec.secondaryIpRange field to RedisInstance.

Changed spec.readReplicasMode in RedisInstance from immutable to optional.

May 10, 2022

Config Connector version 1.84.0 is now available.

Added IAMPolicy and IAMPolicyMember support for AccessContextManagerAccessPolicy.

Added spec.approvalConfig field to CloudBuildTrigger.

Added spec.rule.redirectOptions field to ComputeSecurityPolicy.

Added spec.addonsConfig.gkeBackupAgentConfig field to ContainerCluster.

Added directive to DataflowFlexTemplateJob and DataflowJob.

Added spec.rrdatasRefs field to DNSRecordSet.

Added spec.columnLayout.columns.widgets.logsPanel, spec.gridLayout.widgets.logsPanel, spec.mosaicLayout.tiles.widget.logsPanel, and spec.rowLayout.rows.widgets.logsPanel fields to MonitoringMonitorDashboard.

Added spec.enableExactlyOnceDelivery field to PubSubSubscription.

Reduced reconciliation frequency of ConfigConnector object.

Deprecated spec.rrdatas field in DNSRecordSet.

Renamed spec.template.volumes.cloudSqlInstance.connections to spec.template.volumes.cloudSqlInstance.instances in RunService (Alpha).

Removed spec.template.confidential field from RunService (Alpha).

Removed status.terminalCondition.domainMappingReason and status.terminalCondition.internalReason fields from RunService (Alpha).

Removed spec.gateways field from NetworkServicesTCPRoute (Alpha).

April 25, 2022

Config Connector version 1.83.0 is now available.

Made the spec.resourceRef.apiVersion field in IAMPolicy, IAMPartialPolicy, IAMPolicyMember, IAMAuditConfig optional.

Added IAMPolicyMember support for BinaryAuthorizationPolicy, CloudFunctionsFunction, DataprocCluster, NetworkSecurityAuthorizationPolicy, NetworkSecurityClientTLSPolicy, NetworkSecurityServerTLSPolicy, and RunService.

April 21, 2022

Config Connector version 1.82.0 is now available.

Added field spec.networkInterface[].networkIpRef to ComputeInstance resource.

Deprecated spec.networkInterface[].networkIp field in ComputeInstance resource.

April 13, 2022

This release contains an issue that may prevent you from successfully deleting namespaces with Config Connector enabled if using Config Connector in namespaced-mode. If you are using namespaced-mode, do not upgrade to version 1.81.0 - please upgrade to 1.82.0 instead.

Config Connector version 1.81.0 is now available.

Added support for ApigeeEnvironment resource.

Added field spec.cluster[].autoscalingConfig to BigtableInstance resource.

Added field spec.edgeSecurityPolicy to ComputeBackendBucket resource.

Added field spec.type to ComputeSecurityPolicy resource.

Added field spec.schedule.repeatInterval to StorageTransferJob resource

Fixed the bug introduced in version 1.62.0 that list fields can't be set to empty lists. (Issue #595)

April 07, 2022

Config Connector version 1.80.0 is now available.

Added support for ApigeeOrganization resource.

Added support for NetworkServicesTLSRoute resource.

Added spec.destination.loggingLogBucketRef to LoggingLogSink.

March 30, 2022

Config Connector version 1.79.0 is now available.

Added support for MonitoringMonitoredProject resource.

Added spec.mavenConfig to ArtifactRegistryRepository.

Added spec.filter, spec.gitFileSource, and spec.sourceToBuild to CloudBuildTrigger.

Added spec.nodeConfig.gvnic to ContainerCluster.

Added spec.nodeConfig.gvnic to ContainerNodePool.

Added IAMPolicy support for BinaryAuthorizationPolicy, CloudFunctionsFunction, DataprocCluster, NetworkSecurityAuthorizationPolicy, NetworkSecurityClientTLSPolicy, NetworkSecurityServerTLSPolicy, and RunService.

March 21, 2022

Config Connector version 1.78.0 is now available.

Fixed issue where users could not switch between the field singleClusterRouting and the fields multiClusterRoutingUseAny and multiClusterRoutingClusterIds in BigtableAppProfile resources.

Fixed issue where users could not update the policy in ResourceManagerPolicy resources.

Fixed issue where users could not switch between the field github.push and the field github.pullRequest in CloudBuildTrigger resources (Issue #357).

March 16, 2022

Config Connector version 1.77.0 is now available.

Added support for IdentityPlatformConfig resource.

Added support for ARM binaries.

March 04, 2022

Config Connector version 1.75.0 is now available.

Added support for BillingBudgetsBudget resource.

Added support for EventarcTrigger resource.

Added support for LoggingLogView resource.

Added field spec.rule[].rateLimitOptions into ComputeSecurityPolicy resource.

Added fields spec.addonsConfig.gcpFilestoreCsiDriverConfig and spec.clusterAutoscaling.autoProvisioningDefaults.imageType into ContainerCluster resource.

Added fields spec.maintenancePolicy and spec.maintenanceSchedule into RedisInstance resource.

Added fields spec.transferSpec.awsS3DataSource.roleArn, spec.transferSpec.posixDataSink and spec.transferSpec.posixDataSource into StorageTransferJob resource.

Added field status.selfLink into NetworkServicesGateway,NetworkServicesGRPCRoute, NetworkServicesHTTPRoute, NetworkServicesMesh and NetworkServicesTCPRoute resources.

StorageTransferJob: Fields spec.schedule and spec.transferSpec.awsS3DataSource.awsAccessKey are no longer required.

February 18, 2022

Config Connector version 1.74.0 is now available.

Added support for PrivateCACertificateAuthority resource

Fixed topicRef in CloudBuildTrigger (Issue #605).

February 11, 2022

Config Connector version 1.73.0 is now available.

Added support for ComputeFirewallPolicyAssociation resource.

Added support in IAMPartialPolicy and IAMPolicy to cover Organization and BillingAccount resources.

Fixed issue in ComputeForwardingRule (Issue #596).

CRD go clients (alpha) have moved to pkg/clients/generated/client/clientset/versioned/ package.

February 01, 2022

Config Connector version 1.72.1 is now available.

Miscellaneous bug fixes.

January 25, 2022

Config Connector version 1.72.0 is now available.

Added support for LoggingLogBucket resource.

Added support for CloudFunctionsFunction resource.

Added fields spec.alertStrategy and spec.conditions.conditionMatchedLog to MonitoringAlertPolicy resource.

January 19, 2022

Config Connector version 1.71.0 is now available.

Added support for LoggingLogMetric resource.

Added support for NetworkConnectivitySpoke resource.

Added regional support for ComputeTargetHTTP(S)Proxy resource(s).

Added to CloudBuildTrigger resource.

Added spec.nodeConfig.nodeGroupRef and to ContainerCluster and ContainerNodePool resources.

Added spec.readReplicaMode, spec.replicaCount and status.nodes to RedisInstance resources.

Added spec.settings.ipConfiguration.allocatedIpRange to SQLInstance resource.

Added spec.publicAccessPrevention to StorageBucket resource.

Added spec.identityServiceConfig to ContainerCluster resource.

January 07, 2022

Config Connector 1.70.0 is now available

Added support for MonitoringUptimeCheckConfig resource.

Added support for RunService (alpha) resource.

Added support for NetworkServicesGateway (alpha), NetworkServicesMesh (alpha), NetworkServicesGRPCRoute (alpha), NetworkServicesHTTPRoute (alpha), and NetworkServicesTCPRoute (alpha) resources.

Added field spec.networkInterface.queueCount to ComputeInstance and ComputeInstanceTemplate resources.

Added fields spec.bfd.minReceiveInterval, spec.bfd.minTransmitInterval, spec.bfd.multiplier, and spec.bfd.sessionInitializationMode to ComputeRouterPeer resource.

Added fields spec.nodeConfig.gcfsConfig and spec.managedInstanceGroupUrls to ContainerNodePool resource.

Added field spec.nodeConfig.gcfsConfig (deprecated) to ContainerCluster resource. spec.nodeConfig is a deprecated field that we recommend not using in your configuration.

Added field spec.messageRetentionDuration to PubSubTopic resource.

Supported referencing Workload Identity principals in IAMPolicyMember. (Issue #583)

ComputeInstance and ComputeInstanceTemplate: Configuring field spec.serviceAccount.scopes with value trace-append or trace-ro is no longer available. Use trace instead.

ContainerCluster: The default value for spec.enableShieldedNodes is changed to true.

ContainerCluster: Output-only field status.instanceGroupUrls is removed.

ContainerCluster: It now errors out if spec.workloadIdentityConfig.identityNamespace (deprecated) and spec.workloadIdentityConfig.workloadPool are both present but with different values. We recommend using spec.workloadIdentityConfig.workloadPool field only.

ComputeSnapshot: Output-only field status.sourceDiskLink is removed.

PubSubSubscription: Output-only field status.path is removed.

SQLInstance: spec.settings.authorizedGaeApplications, spec.settings.crashSafeReplication, spec.settings.replicationType become no-ops fields. We recommend removing these fields in your configuration.

StorageBucket: It now errors out if spec.bucketPolicyOnly (deprecated) and spec.uniformBucketLevelAccess are both present but with different values. We recommend using spec.uniformBucketLevelAccess field only.

config-connector CLI removes the ability to export default ComputeNetwork, ComputeSubnetwork, and ComputeRoute via bulk-export command. Those default network assets contain invalid values in other contexts. Removing them from bulk export to avoid additional manual handling of the exported configuration.

December 14, 2021

Config Connector 1.69.0 is now available

Added support for VPCAccessConnector resource

Added support for ComputePacketMirroring resource

Added support for PrivateCACAPool resource

Added support for IAMWorkloadIdentityPool resource

Added support for IAMWorkloadIdentityPoolProvider resource

Added support for CloudIdentityMembership resource

Rollout support for state-into-spec: absent to ContainerCluster resource (Issue #576)

Add billgProject flag in ConfigConnectorContext to specify a quota project to send along with user_project_override header, used for all requests sent from Config Connector. If set on a resource that supports sending the resource project, this value will supersede the resource project. This field can only be set if requestProjectPolicy takes BILLING_PROJECT value

Fixed the issues in config-connector export that the exported YAML now include zero primitives to match the Google Cloud resource live state

Fixed the issues in ContainerCluster with creating autopilot clusters

December 01, 2021

Config Connector 1.68.0 is now available.

Added support for MonitoringService resource.

Added support for MonitoringServiceLevelObjective resource.

Added support for NetworkConnectivityHub resource.

Added support for OSConfigOSPolicyAssignment resource.

Added support for RecaptchaEnterpriseKey resource.

Added support for regional ComputeSSLCertificate resource.

Added support for resourceID field for SecretManagerSecretVersion resource.

November 11, 2021

Config Connector 1.67.0 is now available.

Added support for PrivateCACertificateTemplate resource.

Added support for ConfigControllerInstance (Alpha) resource.

Added fields spec.nodeConfig.guestAccelerator[].gpuPartitionSize and spec.workloadIdentityConfig.workloadPool to ContainerCluster resource.

Added field spec.nodeConfig.guestAccelerator[].gpuPartitionSize to ContainerNodePool resource.

Deprecated spec.workloadIdentityConfig.identityNamespace (field is also no longer required), spec.masterAuth and status.instanceGroupUrls in ContainerCluster resource.

Fixed the issue that DataflowJob was repeatedly updating if spec.enableStreamingEngine was set to true.

Fixed the issues in config-connector bulk-export and the exported IAMCustomRole resources can now be imported into Config Connector.

November 04, 2021

Config Connector 1.66.0 is now available.

Added support for memberFrom in IAMPartialPolicy.

Miscellaneous bug fixes and improvements.

November 01, 2021

Config Connector 1.65.0 is now available.

Added support for the ComputeServiceAttachment resource.

config-connector command cli print-resources now includes a column listing whether it supports of related IAM resources.

All config-connector containers now emit logging to stdout rather than stderr.

config-connector command cli now correctly labels supported bulk-export resources.

October 25, 2021

Config Connector 1.64.0 is now available.

Added support for ComputeFirewallPolicyRule resource.

Added support for FilestoreBackup and FilestoreInstance resources.

Added connectionTrackingPolicy field to ComputeBackendService.

Added ipv6AccessConfig, ipv6AccessType and stackType fields to ComputeInstance.

Added ipv6AccessConfig, ipv6AccessType and stackType fields to ComputeInstanceTemplate.

Added ipv6AccessType, stackType, externalIpv6Prefix, ipv6CidrRange fields to ComputeSubnetwork.

Added nodeConfig.workloadMetadataConfig.mode; deprecated nodeConfig.workloadMetadataConfig.nodeMetadata in ContainerCluster.

Added serviceAccountRef field to CloudBuildTrigger.

Added monitoringConfig, dnsConfig and loggingConfig fields to ContainerCluster.

Added importOnly field to KMSCryptoKey.

Added disabled field to IAMServiceAccount.

Added gcsDataSink.path and gcsDataSource.path fields to StorageTransferJob.

Moved version field to status in DataprocWorkflowTemplate.

In DNSRecordSet, ttl field is no longer required.

Handle the lifecycle of ConfigConnectorContext objects in a separate controller for better isolation and scalability.

Fixed the issue of changing BigTableInstance node size.

October 01, 2021

Config Connector 1.63.0 is now available.

Added spec.configSync.git.gcpServiceAccountRef to GKEHubFeatureMembership.

Added spec.destroyScheduledDuration to KMSCryptoKey.

ComputeDisk: spec.interface has been deprecated. The value of spec.interface is no longer used by the API, so all validation has been removed and values will not be populated. You should remove this field from your configuration.

ComputeRouterPeer: ipAddress is no longer a read-only field, and can be set with the spec.ipAddress field.

September 21, 2021

Config Connector 1.62.0 is now available.

Added Age and Healthy columns for the kubectl get tabular outputs of ConfigConnector and ConfigConnectorContext resources.

Miscelleanous bug fixes.

September 10, 2021

Config Connector 1.61.0 is now available

Added the securitySettings field to ComputeBackendService

Added jitter to resource reconciliation reenqueue period to smooth out the traffic pattern

Fixed a bug in BigqueryJob that generates unexpected diff for 'kms_key_name'

September 03, 2021

Config Connector 1.60.0 is now available.

Added support for ComputeFirewallPolicy resource.

Fixed the error when deleting the ConfigConnectorContext object. (Issue #523)

August 19, 2021

Config Connector 1.59.0 is now available

Added networkConfig field into ContainerNodePool

Added processingUnits field into SpannerInstance

config-connector CLI supports IAMPartialPolicy as an IAM output format

Fixed the issue where ComputeInstance fails reconciliation if metadata is set outside KCC (Issue #524)

August 12, 2021

Config Connector 1.58.1 is now available.

Miscellaneous bug fixes.

August 02, 2021

Config Connector 1.58.0 is now available.

Added support for MonitoringMetricDescriptor resource.

CloudBuildTrigger: added webhookConfig and pubsubConfig options for triggers.

Added a list of resources which have service-generated resource IDs.

Added limited support for the annotation, which allows merge and absent values to merge GCP state into the spec field or not, respectively.

Currently only supported for BigQueryDataset.

July 22, 2021

Config Connector 1.57.0 is now available.

Added support for GKEHubFeatureMembership resource.

Added spec.projectRef to ServiceUsageService.

Reverted DNSRecordSetto an older implementation (from v1.50.0) due to an issue that broke users' ability to modify rrdatas. Note that this also means that rrdatas and ttl are required fields again.

Added the following output-only fields:

  • BigQueryJob: query.destinationEncryptionConfiguration.kmsKeyVersion, load.destinationEncryptionConfiguration.kmsKeyVersion, and copy.destinationEncryptionConfiguration.kmsKeyVersion.
  • BigQueryTable: encryptionConfiguration.kmsKeyVersion.

Added advancedMachineFeatures to ComputeInstance.

July 13, 2021

Config Connector 1.56.0 is now available.

Added support for ComputeInstanceGroupManager resource (Issue #314).

Added support for BinaryAuthorizationPolicy resource.

Added cluster.kmsKeyRef field to BigtableInstance.

Added expire, rotation, topics, and ttl fields to SecretManagerSecret (Issue #471).

Fixed bug that was causing CloudIdentityGroup to go through infinite updates.

Added timestamp to log messages.

Aggregated the cnrm-admin ClusterRole to the admin and edit ClusterRoles, and aggregated the cnrm-viewer ClusterRole to view ClusterRole. See Aggregated ClusterRoles for details (Issue #486).

July 07, 2021

Config Connector 1.55.0 is now available

Added NetworkServicesEndpointPolicy support

Added new fields:

  • ComputeInstance: networkPerformanceConfig.totalEgressBandwidthTier field added.
  • ComputeInstanceTemplate: advancedMachineFeatures field added.
  • ComputeInstanceTemplate: confidentialInstanceConfig.enableConfidentialCompute field is now immutable.
  • ComputeInstanceTemplate: networkPerformanceConfig.totalEgressBandwidthTier field added.
  • ComputeSecurityPolicy: adaptiveProtectionConfig field added.
  • RedisInstance: redisVersion field no longer immutable.

Reduced max retry interval on failure to 120 seconds for fast reconciliation

Use IAMResourceRef type in IAMPartialPolicySpec (Issue #495)

ContainerCluster supports User Project Override (Issue #492)

June 24, 2021

Config Connector 1.54.0 is now available

Added support for the following resources:

  • MonitoringDashboard
  • GKEHubFeature
  • IAMPartialPolicy
  • NetworkSecurityAuthorizationPolicy
  • BinaryAuthorizationAttestor

Added support for ingress and egress policies in AccessContextManagerServicePerimeter

Added new fields:

  • ComputeAddress: networkRef
  • ComputeDisk: provisionedIops
  • ComputeInstance: reservationAffinity
  • ComputeInstanceTemplate: reservationAffinity
  • ComputeInterconnectedAttachment: encryption and ipsecInternalAddresses
  • ComputeResourcePolicy: description and instanceSchedulePolicy
  • ComputeRouterInterface: encryptedInterconnectRouter
  • SQLInstance: diskAutoresizeLimit
  • StorageTransferJob: transferSpec.azureBlobStorageDataSource

The following fields are no longer immutable:

  • CloudIdentityGroup: initialGroupConfig
  • DataflowFlexTemplateJob: containerSpecGcsPath and parameters

SQLInstance: databaseVersion field now additionally accepts POSTGRES_10, POSTGRES_12, and POSTGRES_13.

ComputeVPNGateway: vpnInterfaces field moved from status to spec and now includes interconnectAttachmentRef field.

ComputeAddress: purpose field now additionally accepts IPSEC_INTERCONNECT.

June 21, 2021

Config Connector 1.53.0 is now available

Added support for NetworkSecurityClientTLSPolicy

Added support for NetworkSecurityServerTLSPolicy

Added support for strong hierarchal references to several resources:

  • Add spec.projectRef to DataprocAutoScalingPolicy
  • Add spec.projectRef to DataprocCluster
  • Add spec.projectRef to DataprocWorkflowTemplate
  • Add spec.projectRef to MonitoringGroup

Change cnrm-system containers to use HTTP probes for readiness instead of command probes

June 11, 2021

Config Connector 1.52.0 is now available.

Added support for ComputeURLMap, DataFusionInstance, LoggingLogExclusion.

IAMServiceAccount: added support for resourceID.

spec.preservedUnknownFields is set to false for all CRDs, ensuring consistent behavior as the flag is set from true to false across Kubernetes versions.

June 02, 2021

Config Connector 1.51.2 is now available.

Miscellaneous bug fixes.

May 27, 2021

Config Connector 1.51.1 is now available

Miscellaneous bug fixes.

May 24, 2021

Config Connector 1.51.0 is now available

Added field spec.basic.conditions[].devicePolicy.osConstraints[].requireVerifiedChromeOs to AccessContextManagerAccessLevel

Added field spec.externalDataConfiguration.hivePartitioningOptions.requirePartitionFilter to BigQueryTable

Added field spec.initialGroupConfig to CloudIdentityGroup

Added field spec.initialSize to ComputeNodeGroup

Added field spec.maintenanceWindow to ComputeNodeGroup

Added field spec.replication.userManaged.replicas[].customerManagedEncryption to SecretManagerSecret

Added field spec.encryptionConfig to SpannerDatabase

May 17, 2021

Config Connector version 1.50.0 is now available.

Resource CRDs are now using The minimum required Kubernetes version for using Config Connector v1.50.0 and above is Kubernetes 1.16. This change is in preparation for the removal of in Kubernetes 1.22.

Fixed the issue that Project creation failed if spec.resourceID was set. (Issue #462)

Fixed the issue that Storage resources couldn't be deleted if the referenced StorageBucket was deleted first. (Issue #463)

Fixed the IAM resource references in go-client. (Issue #413)

May 04, 2021

Config Connector version 1.49.1 is now available.

Miscellaneous bug fixes.

April 30, 2021

Config Connector version 1.49.0 is now available.

Hierarchical reference field is optional for BigQueryDataset, ComputeDisk, Folder, and Project (Fixes a follow-up issue in #349).

April 27, 2021

Config Connector version 1.48.0 is now available.

ComputeDisk added support for projectRef

Added go-clients for GKEHubMembership and CloudIdentityGroup

April 23, 2021

Config Connector version 1.47.0 is now available.

Added support CloudIdentityGroup and GKEHubMembership

Added resourceID support for Project resource

Fixed the issue of acquiring ComputeBackendService with iap configuration (GitHub #304)

April 16, 2021

Config Connector version 1.46.0 is now available.

cnrm-resource-stats-recorder container now binds to hostPort 48797 rather than 8888 (fixes GitHub issue #449)

Go Client now uses a pointer type or allows for a built-in nil value for spec fields that are optional. (fixes GitHub issue #426)

BigQueryDataset add support for projectRef

ContainerCluster supports enableAutopilot, enableL4IlbSubsetting, and privateIpv6GoogleAccess.

ContainerNodePool supports disabling autoscaling by setting min and max node counts to 0 (fixes GitHub issue #437)

SecretManagerSecretVersion now requires the secretData field.

Added observedGeneration field to status for resources, enabling compatibility with kstatus (fixes GitHub issue #410]{:.external})

April 08, 2021

Config Connector version 1.45.0 is now available.

Added support for OSConfigGuestPolicy, IdentityPlatformTenant, IdentityPlatformOAuthIDPConfig and IdentityPlatformTenantOauthIDPConfig.

Added proxyBind field to ComputeTargetHTTPProxy, ComputeTargeHTTPSProxy, and ComputeTargetTCPProxy.

Added enableStreamingEngine field to DataflowJob.

Fixed issue where folderRef/organizationRef could not be defaulted from folder-id/organization-id annotations when creating Project/Folder resources with server-side apply. (More details can be found here).

Supported a viewer cluster role so that resources can be referenced cross namespaces in namespaced mode. (Issue #407)

Updated the structs' name of any field FooBar to be KindFooBar in Go Client resources. This ensures that the struct names are unique within a Go package.

Fixed the ListMeta type in Go Client (Issue #422).

March 25, 2021

Config Connector version 1.44.0 is now available.

Added support for the ContainerAnalysisNote resource (no config-connector CLI support)

Added mtu field to ComputeInterconnectAttachment.

Added nodeConfig.ephemeralStorageConfig field to ContainerCluster and ContainerNodePool.

Added settings.backupConfiguration.backupRetentionSettings and settings.backupConfiguration.transactionLogRetentionDays fields to SQLInstance.

Made materializedView.query field in BigQueryTable immutable.

Deprecated nicType field in ComputeInstanceTemplate.

Added support for acquisitions of Folder using displayName and folderRef/organizationRef.

Fixed incorrect file extension for Terraform files output by the config-connector CLI.

March 23, 2021

Config Connector version 1.43.0 is now available

config-connector CLI now supports a flag to filter out deleted IAM members

Added support for IAPBrand (no config-connector CLI support)

Added support for IAPIdentityAwareProxyClient (no config-connector CLI support)

Conflict Prevention is now turned off by default. The current implementation results in the Ready condition destabilizing despite the resource reflecting user-desired state.

Work is enqueued to improve this behavior, but the functionality is turned off for new resources in the interim.

Webhook certificates that do not contain a SAN are now re-created on upgrade of the Config Connector operator.

Added support for folderRef and organizationRef in Project and Folder.

March 12, 2021

Config Connector version 1.42.0 is now available.

Increase resource limits of webhook, recorder and deletiondefender workloads

On upgrade, ensure that your cluster has sufficient CPU/Memory to allocate if you have seen Pod Unschedulable errors

Added operation field into ContainerNodePool

Ensure that CLI will not terminate on particular problematic resources when on-error is set with ignore or continue

Miscellaneous bug fixes

March 05, 2021

Config Connector version 1.41.0 is now available.

Added targetGRPCProxyRef field in ComputeForwardingRule.

Added insightsConfig field in SQLInstance.

Added transitEncryptionMode field in RedisInstance. Also added serverCaCerts to the status of RedisInstance.

Updated the format of the version tag to v0.0.0 so that Config Connector v1.41.0 and above can be fetched as a Go module. (Issue #408)

February 26, 2021

Config Connector version 1.40.0 is now available

Added support for DataprocAutoscalingPolicy (no config-connector CLI support, expected Q2)

Added support for DataprocCluster (no config-connector CLI support, expected Q2)

Added support for DataprocWorkflowTemplate (no config-connector CLI support, expected Q2)

Added support for MemcacheInstance

New field for ComputeInstance: nicType

New fields for ComputeInstanceTemplate: nicType and resourcePolicies

New status field for BigQueryJob: status

Go client is no longer nested under generated folder.

February 22, 2021

Config Connector version 1.39.0 is now available

Alpha release of Go types and clients for Config Connector resources

Added support for CloudSchedulerJob resource

Reverted webhook port to 443 to alleviate forwarding rule issue on GKE private clusters

Fixed issue with aggressive retrying of failed updates leading to exhausting quota

Fixed issue with ArtifactRegistryRepository always failing to update

February 09, 2021

Config Connector version 1.38.1 is now available

Miscellaneous bug fixes

February 05, 2021

Config Connector version 1.38.0 is now available

Added resourceID support to: ContainerCluster, ContainerNodePool, SourceRepoRepository and AccessContextManager resources

config-connector bulk-export now operates on LoggingLogSink resources

Increased CPU and Memory limit for ConfigConnector Operator

January 27, 2021

Config Connector version 1.37.0 is now available.

Added a column Status Age showing the last transition time for the value in Status, and added the column Age back to the default output of kubectl get for all Config Connector resources. Improved the value at Status and Ready columns to match against the condition name.

Added resourceID support for ArtifactRegistryRepository, Bigtable resources, DataflowJob, DNS resources, Monitoring resources, RedisInstance, ResourceManagerLien, SecretManagerSecret, Spanner resources, StorageTransferJob.

Fixed the issue with the legacy Common Name field on x509 certificate. Config Connector should be working on clusters of K8s 1.19+. (Issue #335)

January 22, 2021

Config Connector version 1.36.0 is now available

Added a column 'Ready' showing the value of the .status.conditions[0] (the ready condition), and associated Status to the default output of kubectl get for all Config Connector resources.

Added support for referencing an organization to IAMCustomRole.

Added a new sub-command to the CLI, config-connector print-resources which shows all config connector resources and their associated level of export and bulk-export support.

Reduce the memory usage of deletiondefender and controller-manager in high-scale scenarios (1000+ resources under management).

Added resourceID support to the Compute resources.

January 13, 2021

Config Connector version 1.35.0 is now available.

Added resourceID support for: SQL resources, Pub/Sub resources, LoggingLogSink, StorageBucket, KMS resources, IAMCustomRole.

Added support for the MonitoringGroup resource.

January 06, 2021

Config Connector version 1.34.0 is now available.

Added support for IAM Member References. This allows users to create an IAMPolicyMember that references another resource as the IAM member (e.g. IAMServiceAccount, LoggingLogSink). For more information, see the memberFrom field in the IAMPolicyMember reference documentation. Support for IAM Member References is added only to IAMPolicyMember, not IAMPolicy.

Added support for the GameServicesRealm resource.

Added IAM support for ComputeDisk.

Added cacheMode, clientTtl, defaultTtl, maxTtl, negativeCaching, negativeCachingPolicy, serveWhileStale, and customResponseHeaders fields to ComputeBackendBucket.

Added customTimeBefore, daysSinceCustomTime, daysSinceNoncurrentTime, and noncurrentTimeBefore fields to StorageBucket.

Allow for IAMPolicy, IAMPolicyMember, and IAMAuditConfig to reference resources in other namespaces.

Added support for UpdateFailed, DeleteFailed, DependencyNotFound, and DependencyNotReady events to IAMPolicy, IAMPoicyMember, IAMAuditConfig.

Allow for Project and Folder resources to be migrated across folders and organizations by updating the folder-id/organization-id annotation. Only folder-to-folder or organization-to-organization migrations are allowed; folder-to-organization migrations or vice versa are not yet supported.

December 09, 2020

Config Connector version 1.33.0 is now available.

Added support for the ComputeProjectMetadata resource

Added resourceID field to ServiceUsageService and StorageNotification

Added computeResponseHeaders field to ComputeBackendService

Added maintenancePolicy.maintenanceExclusion field to ContainerCluster

Added description and disabled fields to LoggingLogSink

DataflowJobs can now be acquired via name

Added IAM support to BigtableTable

December 01, 2020

Config Connector version 1.32.0 is now available.

Added the resourceID field to Folder, BigQueryTable, BigQueryJob, and BigQueryDataset. (Issue #147 and #128)

Added the customResponseHeaders field to ComputeBackendService.

Added the maintenancePolicy.maintenanceExclusion field to ContainerCluster.

Added the description and disabled fields to LoggingLogSink.

Added "ORC" as a new available value to the CRD description of externalDataConfiguration.sourceFormat field in BigQueryTable.

Fixed the bug that the Bigtable Garbage Collection Policy can't be created via the Config Connector BigQueryGCPolicy resource. (Issue #300)

November 29, 2020

Config Connector version 1.31.1 is now available

Miscellaneous fixes and improvements

November 23, 2020

Config Connector version 1.31.0 is now available

Added support for the ComputeTargetGRPCProxy resource

Added support for the ResourceManagerLien resource

Fixed issue where IAMPolicyMember and IAMPolicy resources cannot be deleted if an invalid configuration is applied (such as referencing a non-existent resource)

Fixed issue where notificationConfig.pubsub.topicRef was not usable

November 10, 2020

Config Connector version 1.30.0 is now available.

Added support for the MonitoringAlertPolicy resource.

Added maintenancePolicy field to ComputeNodeGroup.

Added exclusions field to LoggingLogSink.

Added authEnabled field to RedisInstance.

Added interface field to ComputeDisk.

Added mtu field to ComputeNetwork.

Added privateIpv6GoogleAccess field to ComputeSubnetwork.

Added confidentialNodes field to ContainerCluster.

Added skipInitialVersionCreation field to KMSCryptoKey.

Added "Immutable." to CRD descriptions for immutable fields in IAMPolicy, IAMPolicyMember, IAMAuditConfig.

Added more field descriptions.

Fixed bug where DataflowJob would fail to create if zone is unspecified even if region is specified.

Fixed bug in operator where ConfigConnector was not being re-enqueued for reconciliation when there is an error during reconciliation.

November 06, 2020

Config Connector version 1.29.0 is now available.

Field descriptions now document immutability.

DataflowJob labels are now mutable.

October 28, 2020

ConfigConnector version 1.28.0 released

Add spec.requestProjectPolicy field to ConfigConnectorContext CRD

October 21, 2020

Added support for externally referencing billing account and organizations in IAMPolicyMember

Added LoggingLogSink resource for creating log sinks at project, folder, and organization scopes

Added ResourceManagerPolicy resource for setting organization policy at project, folder, and organization scopes

October 19, 2020

Fixes "413 Request Entity Too Large" seen across multiple resource types

Adds support for MonitoringNotificationChannel

October 15, 2020

Support export sub-command in the config-connector CLI

Add support for the AccessContextManagerServicePerimeter resource

Add support for Folder-level IAM Audit Configs

Fix deadLetterTopicRef in the PubSubSubscription resource (Issue #281)

October 07, 2020

Add support for the DataflowFlexTemplateJob resource

Add the transformNameMapping field to DataflowJob

Add the auditConfigs field to IAMPolicy

Add the loadBalancerType, datapathProvider, and notificationConfig fields to ContainerCluster

Add the artifacts and options fields to CloudBuildTrigger

Add support for the GRPC protocol for ComputeBackendService

Add logic to auto-trigger server-side apply metadata on resources on K8s clusters with server-side apply enabled (i.e. K8s 1.16+)

Fix issue where kubectl get gcp did not include IAMPolicy, IAMPolicyMember, and IAMAuditConfig resources (Issue #286)

October 02, 2020

Added Cloud IAM support for ComputeImage.

Fixed an issue where an IAMPolicy cannot be deleted when the externally referenced resource does not exist.

Fixed an infinite diff condition on spec.minMasterVersion.

September 03, 2020

BigtableInstance: numNodes on resources is now optional. You can then programmatically scale your Bigtable instances. You cannot add the numNodes field after creating a BigtableInstance.

For production instances where the numNodes will be managed by Config Connector, this field is required with a minimum of 1. For a development instance or for an existing instance where the numNodes is managed outside of Config Connector, this field must be left unset.

August 27, 2020

Support referencing org-level IAM custom roles for IAMPolicy/IAMPolicyMember

Increase support for cross-project references

August 19, 2020

Add support for configuring Bigtable garbage collection policies with the BigtableGCPolicy resource

Fixes issue where SQLUser would constantly update despite there being no changes.

Fix issue where Deletion Defender would sometimes panic during uninstallation of Config Connector, preventing uninstallation to complete.

Performance improvements.

August 13, 2020

The Config Connector GKE Add-on is launched to GA. Users can now enable the GKE Add-on on cluster creation with the gcloud CLI or on the Cloud Console.

Add support for BigtableAppProfile

August 08, 2020

Added support for BigtableTable

Fix a bug where a CRD would be marked as uninstalling on a dryrun delete

July 31, 2020

Add support for ArtifactRegistryRepository

Changes DataflowJob to allow for spec.parameters and spec.ipConfiguration to be updateable

Fixes issue that was causing ContainerNodePool and SQLDatabase to display UpdateFailed due to the referenced ContainerCluster or SQLDatabase not being ready

Fixes issue preventing the creation of BigQuery resources that read from Google Drive files due to insufficient OAuth 2.0 scopes

Fixes issue causing SourceRepoRepository to constantly update even when there were no changes

July 21, 2020

bug fixes and performance improvements

July 16, 2020

Add support for allowing fields not specified by the user to be externally-managed (i.e. changeable outside of Config Connector). This feature can be enabled for a resource by enabling K8s server-side apply for the resource, which will be the default for all K8s resources starting in K8s 1.18. More detailed docs about the feature coming soon.

Operator improvement: add support for cluster-mode set-ups, which allows users to use one Google Service Account for all namespaces in their cluster. This is very similar to the traditional "Workload Identity" installation set-up.

Fix ContainerCluster validation issue (Issue #242).

Fix OOM issue for the cnrm-resource-stats-recorder pod (Issue #239).

Add support for projectViewer prefix for members in IAMPolicy and IAMPolicyMember (Issue #234).

Reduce spec.revisionHistoryLimit for the cnrm-stats-recorder and cnrm-webhook-manager Deployments from 10 (the default) to 1.

July 09, 2020

Added support for SecretManagerSecret

July 01, 2020

Config Connector now supports --server-dry-run for resource CRDs.

Fix a bug for the BigtableInstance resource that causes constant reconciliation.

Deprecate BigtableInstance's spec.deletionProtection field.

June 25, 2020

Add an option, iam-format, to config-connector to control IAM output, options are policy, policymember, or none.

ComputeForwardingRule's target field now supports referencing a ComputeTargetSSLProxy and ComputeTargetTCPProxy.

DataFlowJob's serviceAccountEmail, network, subnetwork, machineType, and ipConfiguration fields now support updates.

Fix an issue where config-connector would error on a Project resource.

June 16, 2020

You can use config-connector tool to export Google Cloud resources into Config Connector: documentation

Bug fixes

June 12, 2020

  • Added ability to update streaming DataflowJobs by updating its spec (e.g. spec.templateGcsPath). Note that not all fields can be updated, and batch DataflowJobs don't support updates.
  • Added IAMPolicy to the output of config-connector

June 03, 2020

Miscellaneous bug fixes and improvements

May 29, 2020

Added support for SQLSSLCert

Supported acquisition of backends added to Compute Backend Services out-of-band of Config Connector

May 27, 2020

Added support for BigQueryJob resource

May 19, 2020

Bug fixes and reliability improvements

Improving handling of scenarios when version field on ContainerNodePool is updated externally

May 15, 2020

fix ContainerNodePool version upgrade scenario

increase the cpu/memory request for webhook and recorder

Miscellaneous bug fixes and improvement

April 30, 2020

Fixes for the examples for the following resources: CloudBuildTrigger, AccessContextManager, ComputeDisk, and ComputeSubNetwork

Reduced memory requirements for deletion defender, recorder, and webhook. Reduced cpu requirements for recorder and webhook Increased CPU for the manager controller from 100m to 200m.

Ensure the webhook process does not signal it is ready until it is serving HTTP traffic

April 21, 2020

Miscellaneous bug fixes and improvements

April 14, 2020

Added readiness probes to Config Connector pods

April 10, 2020

Add the CloudBuildTrigger resource

Add the SourceRepoRepository resource

miscellaneous bug fixes and improvements

April 02, 2020

March 25, 2020

Add "Deletion Defender" workload -- a pod whose job is to ensure that only resources meant to trigger a delete on the underlying API do so. If this workload goes down for whatever reason, the controller is prevented from performing deletions, thus protecting against accidental deletions in the case of cascading deletions prompted by uninstalling CRDs.

Add support for structured metadata list for ComputeInstance and ComputeInstanceTemplate in the form of a spec.metadata field.

March 23, 2020

Fixed label update issue on ContainerCluster (

Bumped memory request and limit for the manager pod as resource usage has gone up and the original limit of 256 Mi was found to not be sufficient for large customers

Changed admission webhooks to return non-200 error codes when denying admission

March 18, 2020

miscellaneous bug fixes and improvements

March 10, 2020

ComputeHealthCheck's location field now supports supplying a region

Fixed an issue with deleting StorageBucketAccessControl when the ServiceAccount did not exist:

With the exception of role-bindings, moved all system components for namespaced mode into the cnrm-system, note: you must completely uninstall and reinstall to upgrade namespaced mode completely for this release.

Added a version annotation to the Config Connector manifests

February 26, 2020

Added support for DataflowJob resource

February 21, 2020

Added support for ComputeNetworkEndpointGroup resource

February 17, 2020

Added support for DNSPolicy resource

February 09, 2020

Added support for ComputeResourcePolicy resource

January 23, 2020

Config Connector has reached General Availability (GA).

Config Connector now supports configuring GCP resources with sensitive data in GKE Secrets.

Config connector now supports authenticating to multiple Google Service Accounts using different Kubernetes Service accounts in your Config Connector cluster using Namespaced mode.

Some Config Connector resources now support directives, which allow Config Connector to take additional actions beyond creating or deleting resources. For more information, see Resources

January 09, 2020

Added support for DNSRecordSet, Project and ServiceUsage resources

January 02, 2020

Added external resource reference support for IAMPolicy and IAMPolicyMember

Improved initial Prometheus metrics

December 23, 2019

Add support for ComputeNodeTemplate

Add initial support for exporting prometheus metrics

No longer run system components as root

Add a specific ResourceReference structure to IAMPolicy and IAMPolicyMember

December 17, 2019

Added the external field to support the external resource references

Added support for ComputeTargetTCPProxy

December 12, 2019

Added support for SpannerDatabase

November 26, 2019

Added support for ServiceNetworkingConnection and ComputeTargetHTTPSProxy

November 21, 2019

Added support for ComputeInterconnectAttachment, ComputeSSLProxy, ComputeTargetSSLProxy, (Regional)ComputeDisk

November 06, 2019

Added support for FirestoreIndex, ComputeRouterInterface, ComputeRoute, ComputeRouterPeer

November 01, 2019

New resources supported: IAMPolicyMember, BigQueryTable, ComputeVPNTunnel, ComputeImage, ComputeSnapshot, ComputeBackendBucket, ComputeDisk, ComputeSSLCertificate, ComputeHTTPHealthCheck, ComputeRouterNAT, ComputeExternalVPNGateway, ComputeRouter, ComputeVPNTunnel, DNSManagedZone, StorageNotification

Breaking namespace changes for the following resources: - GlobalComputeAddress: v1alpha2->v2apha3 - ComputeNetwork: v1alpha2->v1alpha3 - ComputeSubnetwork: v1alpha2->v1alpha3 - ComputeBackendService: v1alpha2->v1alpha3 - ComputeHealthCheck: v1alpha2->v1alpha3 - ComputeFirewall: v1alpha2->v1alpha3

October 22, 2019

Added new resources and samples for BigQueryTable, ComputeExternalVPNGateway

October 15, 2019

Bump compute api group version to v1alpha2

  • rename ComputeGlobalForwardingRule to ComputeForwardingRule
  • add required location field to the following existing resources: ComputeAddress, ComputeBackendService, ComputeForwardingRule, ComputeHealthCheck, ComputeTargetHttpProxy, ComputeURLMap
  • ComputeAddress CRD now supports both global and regional compute addresses

Add the following new resources with samples: ComputeNetworkPeering, ComputeTargetVPNGateway, ComputeVpnGateway, IAMCustomRole, ComputeHTTPSHealthCheck, ComputeSharedVPCHostProject, ComputeRouter

October 08, 2019

New gcp category in CRDs, so you can view Config Connector resources via kubectl get gcp

September 30, 2019

Config Connector now supports GKE workload identity

Added the ContainerNodePool resource

September 20, 2019

Adding ComputeGlobalForwardingRule resource and examples

September 13, 2019

Fixed an issue with creating service account keys across projects.

September 09, 2019

Update samples for version 0.1.2

September 03, 2019

Added ComputeTargetHTTPProxy, ComputeBackendService, ComputeFirewall, ComputeUrlMap resources

Samples updates for newly added resources, as well bigtablecluster, bigtableinstance, iampolicy

August 16, 2019

Config Connector v0.1.1 is now available in Beta.