provider-gcp icon indicating copy to clipboard operation
provider-gcp copied to clipboard

Published 20 hours ago verified publisher icon crossplane-contrib

XP generates name too long to fit the GCP ServiceAccount IAM API limit of 30

Open denist-huma opened this issue 3 years ago • 3 comments

What happened?

# kubectl describe ServiceAccount.iam.gcp.crossplane.io gcp-bucket-test-storage-cz5m8-c5j2d
Name:         gcp-bucket-test-storage-cz5m8-c5j2d
Namespace:    
Labels:       crossplane.io/claim-name=gcp-bucket-test-storage
              crossplane.io/claim-namespace=default
              crossplane.io/composite=gcp-bucket-test-storage-cz5m8
Annotations:  crossplane.io/composition-resource-name: sa
              crossplane.io/external-create-failed: 2021-10-25T18:07:24Z
              crossplane.io/external-create-pending: 2021-10-25T18:07:24Z
              crossplane.io/external-name: gcp-bucket-test-storage-cz5m8-c5j2d
API Version:  iam.gcp.crossplane.io/v1alpha1
Kind:         ServiceAccount
Metadata:
  Creation Timestamp:  2021-10-25T17:47:10Z
  Finalizers:
    finalizer.managedresource.crossplane.io
  Generate Name:  gcp-bucket-test-storage-cz5m8-
  Generation:     2
  Managed Fields:
    API Version:  iam.gcp.crossplane.io/v1alpha1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .:
          f:crossplane.io/composition-resource-name:
        f:generateName:
        f:labels:
          .:
          f:crossplane.io/claim-name:
          f:crossplane.io/claim-namespace:
          f:crossplane.io/composite:
        f:ownerReferences:
          .:
          k:{"uid":"f9bdeaef-bfcd-4ff0-b396-4c0a4f2a2540"}:
            .:
            f:apiVersion:
            f:controller:
            f:kind:
            f:name:
            f:uid:
      f:spec:
        .:
        f:deletionPolicy:
        f:forProvider:
          .:
          f:description:
          f:displayName:
        f:providerConfigRef:
          .:
          f:name:
    Manager:      crossplane
    Operation:    Update
    Time:         2021-10-25T17:47:10Z
    API Version:  iam.gcp.crossplane.io/v1alpha1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          f:crossplane.io/external-create-failed:
          f:crossplane.io/external-create-pending:
          f:crossplane.io/external-name:
        f:finalizers:
          .:
          v:"finalizer.managedresource.crossplane.io":
      f:status:
        .:
        f:atProvider:
        f:conditions:
    Manager:    crossplane-gcp-provider
    Operation:  Update
    Time:       2021-10-25T17:47:10Z
  Owner References:
    API Version:     gcp.storage.huma.com/v1alpha1
    Controller:      true
    Kind:            CompositeBucket
    Name:            gcp-bucket-test-storage-cz5m8
    UID:             f9bdeaef-bfcd-4ff0-b396-4c0a4f2a2540
  Resource Version:  301362249
  Self Link:         /apis/iam.gcp.crossplane.io/v1alpha1/serviceaccounts/gcp-bucket-test-storage-cz5m8-c5j2d
  UID:               f3930a65-0e9f-4819-92eb-08d5f1c8e5ea
Spec:
  Deletion Policy:  Delete
  For Provider:
    Description:   Crosspalne managed SA for private bucket access
    Display Name:  gcp-bucket-test-storage-cz5m8-zmbps-sa
  Provider Config Ref:
    Name:  default
Status:
  At Provider:
  Conditions:
    Last Transition Time:  2021-10-25T17:47:10Z
    Message:               create failed: cannot create GCP ServiceAccount object via IAM API: googleapi: Error 400: The account ID "gcp-bucket-test-storage-cz5m8-c5j2d" does not have a length between 6 and 30., badRequest
    Reason:                ReconcileError
    Status:                False
    Type:                  Synced
Events:
  Type     Reason                        Age                 From                                          Message
  ----     ------                        ----                ----                                          -------
  Warning  CannotCreateExternalResource  22s (x65 over 20m)  managed/serviceaccount.iam.gcp.crossplane.io  cannot create GCP ServiceAccount object via IAM API: googleapi: Error 400: The account ID "gcp-bucket-test-storage-cz5m8-c5j2d" does not have a length between 6 and 30., badRequest

How can we reproduce it?

Create CRDs from https://gist.github.com/denist-huma/585b0f867ffcd6d62340491fe3167980 Create a claim: with name "gcp-bucket-test-storage"

apiVersion: gcp.storage.huma.com/v1alpha1
kind: BucketInstance
metadata:
  annotations:
    crossplane.io/external-name: 350faeff7588691cd66a32c7c3e84a107aa940fde26488ae58505f16e0dfd03
  name: gcp-bucket-test-storage
  namespace: default
spec:
  compositionUpdatePolicy: Automatic
  resourceRef:
    apiVersion: gcp.storage.huma.com/v1alpha1
    kind: CompositeBucket
    name: gcp-bucket-test-storage-cz5m8
  writeConnectionSecretToRef:
    name: gcp-bucket-test-storage-secret

What environment did it happen in?

Crossplane version: 1.4.1 crossplane-provider-aws: v0.19.1

denist-huma avatar Oct 25 '21 18:10 denist-huma

Hi @denist-huma , thank you very much for opening this issue!

I don't see how we can change the API limit, so I would suggest two options:

  • If you want to keep the generated part of the resource name, you would need to decrease the length of your SA name, so the name that you chose+12 random characters doesn't sum to more than 30.
  • In your composition, you could patch from [crossplane.io/claim-name] label instead of metadata.name. You can see an example in the printscreen below image By doing this second option, your resource in the Kubernetes API would have the name gcp-bucket-test-storage-cz5m8-c5j2d but in the GCP API it would be gcp-bucket-test-storage.

Feggah avatar Oct 26 '21 08:10 Feggah

Hey @Feggah Thank you for looking into my issue. :+1: I have trouble following your 2nd option.

  • In your composition, you could patch from [crossplane.io/claim-name] label instead of metadata.name. You can see an example in the printscreen below image By doing this second option, your resource in the Kubernetes API would have the name gcp-bucket-test-storage-cz5m8-c5j2d but in the GCP API it would be gcp-bucket-test-storage.

I've modified the "sa" resource:

    - name: sa
      base:
        apiVersion: iam.gcp.crossplane.io/v1alpha1
        kind: ServiceAccount
        spec:
          forProvider:
            description: "Crosspalne managed SA for private bucket access"
      patches:
        - fromFieldPath: "spec.resourceRefs[0].name"
          toFieldPath: "spec.forProvider.displayName"
          transforms:
            - type: string
              string:
                fmt: "%s-sa"
        - fromFieldPath: "metadata.annotations['crossplane.io/claim-name']"
          toFieldPath: "metadata.annotations['crossplane.io/external-name']"
          type: FromCompositeFieldPath

My ServiceAccount's external name is still a generated one:

 kubectl describe ServiceAccount.iam.gcp.crossplane.io | grep external-name
I1027 12:37:44.256268 1801835 request.go:668] Waited for 1.059304599s due to client-side throttling, not priority and fairness, request: GET:https://35.246.56.200/apis/apiextensions.crossplane.io/v1alpha1?timeout=32s
              crossplane.io/external-name: gcp-bucket-test-vzn58-nhcjv
          f:crossplane.io/external-name:

denist-huma avatar Oct 27 '21 09:10 denist-huma

I think I got what is going wrong @denist-huma , you should patch from labels not annotations.

    - name: sa
      base:
        apiVersion: iam.gcp.crossplane.io/v1alpha1
        kind: ServiceAccount
        spec:
          forProvider:
            description: "Crosspalne managed SA for private bucket access"
      patches:
        - fromFieldPath: "spec.resourceRefs[0].name"
          toFieldPath: "spec.forProvider.displayName"
          transforms:
            - type: string
              string:
                fmt: "%s-sa"
        - fromFieldPath: "metadata.labels['crossplane.io/claim-name']"
          toFieldPath: "metadata.annotations['crossplane.io/external-name']"
          type: FromCompositeFieldPath

Feggah avatar Oct 27 '21 12:10 Feggah