Migrate Certificate Manager DNSAuthorization API

[anhdle-sso]

Change description

Fixes #

Tests you have done

• Run make ready-pr to ensure this PR is ready for review.
• Perform necessary E2E testing for changed resources.

[anhdle-sso]

/assign @justinsb

[Hamzawy63]

@anhdle-sso

Hi Anh,

I work Certificate Manager team and happened to see this pull request by accident. Just curious, could you provide me more context about this pull request? Is it part of the recent efforts to improve the config connector (https://github.com/GoogleCloudPlatform/k8s-config-connector?tab=readme-ov-file#-coming-soon-a-new-way-to-write-the-controller-) ?

Also, is the defined schema for this resource based on the the latest version that the config connector had? or will it be up-to-date with the API ? Are we no longer based on the Terraform Provider Google beta version?

I'm asking because the latest version we had in KCC didn't include the recently-added Enum field Type (https://cloud.google.com/certificate-manager/docs/reference/certificate-manager/rest/v1/projects.locations.dnsAuthorizations#type) and I wonder whether it will be supported after the migration or we will still need service team intervention to support it?

[yuwenma]

@Hamzawy63
Yes, it is part of the recent "Direct resource" effort.
Right, we will support the new fields as long as

1. they are added before this Direct resource migration.
2. they show up in the google go client library that your team owns.

[yuwenma]

So for a beta resource, we suggest not excluding the CRD generation using excluded_resources, because it gives the PR reviewing no clue on whether the outcome is correct or not (also it would be very error prone for the developers).

Instead, you can add the cnrm.cloud.google.com/dcl2crd: "true” in the type go tag. (example), and comment out those new fields that do not exist in the TF-based resources according to the outcome from dev/task/generate-crds. Guide here

[yuwenma]

Looks good! One comment about avoid using the excluded_resources flag so that we can compare whether this PR is backward compatible since the resource is already in Beta.

[maqiuyujoyce]

LGTM with a few non-blocking nits.

[anhdle-sso]

Looks good! One comment about avoid using the excluded_resources flag so that we can compare whether this PR is backward compatible since the resource is already in Beta.

The current CRD also has v1alpha1 information. if I do not exclude this resource; the v1alpha1 part will be deleted which might cause issue for customer who is using v1alpha1.

[yuwenma]

Looks good! One comment about avoid using the excluded_resources flag so that we can compare whether this PR is backward compatible since the resource is already in Beta.

The current CRD also has v1alpha1 information. if I do not exclude this resource; the v1alpha1 part will be deleted which might cause issue for customer who is using v1alpha1.

you can include the alpha resource in the direct types. here's the related section in the guide.

[anhdle-sso]

Looks good! One comment about avoid using the excluded_resources flag so that we can compare whether this PR is backward compatible since the resource is already in Beta.

done. added alpha resource and regen crds

[maqiuyujoyce]

Could you try to:

1. Install the old CRD and create a CertificateManagerDNSAuthorization resource.
2. Upgrade to the new CRD.
3. Verify whether the upgrade works and whether the existing CertificateManagerDNSAuthorization successfully reconciled based on the new schema?

The reason I asked here is that we've never switched the storage version from v1alpha1 to v1beta1 so we probably want to be extra careful.

[anhdle-sso]

I tested by following these steps:

1. Checkout to master
2. Apply the existing crd kubectl apply -f config/crds/resources/apiextensions.k8s.io_v1_customresourcedefinition_certificatemanagerdnsauthorizations.certificatemanager.cnrm.cloud.google.com.yaml; make deploy-controller && kubectl delete pods --namespace cnrm-system --all
3. Apply sample DNS Authorization kubectl apply -f config/samples/resources/certificatemanagerdnsauthorization/certificatamanager_v1beta1_certificatemanagerdnsauthorization.yaml
4. Check into my branch with new change and run step 2 again with an extra log line to confirm that the new controller is deployed.
5. Wait a bit and confirm that the resource is still good.
6. Make a change in the resource and apply again to force reconciliation.
7. The resource is updated and ready.

[maqiuyujoyce]

Awesome, thank you!

[maqiuyujoyce]

/lgtm though you'll probably want to figure out why the validation still fails.

[yuwenma]

/lgtm
/approve

Awesome! Thanks!

[google-oss-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: yuwenma

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [yuwenma]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[yuwenma]

/lgtm