chore(deps): update dependency googlecloudplatform/k8s-config-connector to v1.151.0

[renovate]

This PR contains the following updates:

Package	Update	Change
GoogleCloudPlatform/k8s-config-connector	minor	v1.137.0 → v1.151.0

---

Release Notes

GoogleCloudPlatform/k8s-config-connector (GoogleCloudPlatform/k8s-config-connector)

v1.151.0

Compare Source

v1.150.0

Compare Source

v1.149.1: Release 1.149.1

Compare Source

• Special shout-outs to @​acpana, @​barney-s, @​cheftako, @​dhavalbhensdadiya-crest, @​gemmahou, @​justinsb, @​katrielt, @​ldanielmadariaga, @​maqiuyujoyce, @​suwandim, and @​xiaoweim for their contributions to this release.

New Alpha Resources (Direct Reconciler):

• NetworkServicesLBRouteExtension #​6957

  • Manage LB route extensions which allow you to inject custom logic into the load balancing path.

• ParameterManagerParameterVersion #​7140

  • Manage Parameter Manager parameter versions which allows you to manage regional parameters.

New Fields:

• ContainerCluster #​7336

  • Added spec.nodeConfig.ephemeralStorageLocalSsdConfig.dataCacheCount field to support GKE Data Cache.

• ContainerNodePool #​7336

  • Added spec.nodeConfig.ephemeralStorageLocalSsdConfig.dataCacheCount field to support GKE Data Cache.

New Features:

• Controlled CR reconciliation Added support for unmanaging specific resources via resourceSettings in ConfigConnector (global) and ConfigConnectorContext (per-namespace). This allows users to selectively disable reconciliation for specific Group/Kinds to save memory or manage resources differently.

Reconciliation Improvements

We have added support for direct reconciliation to more resources, with opt-in behaviour. The API is unchanged. To use the direct reconciler, add the cnrm.cloud.google.com/reconciler: direct annotation to the corresponding Config Connector object.

• BigQueryDatasetAccess #​7000

Bug Fixes:

• Preview Tool Fixed a connection error in the KCC preview tool and enforced read-only access to the cluster for improved security.

v1.148.0: Release 1.148.0

Compare Source

• Special shout-outs to @​acpana, @​anhdle-sso, @​barney-s, @​cheftako, @​dhavalbhensdadiya-crest, @​eugenenuke, @​gemmahou, @​gurusai-voleti, @​justinsb, @​katrielt, @​maqiuyujoyce, @​suwandim, and @​xiaoweim for their contributions to this release.

New Alpha Resources (Direct Reconciler):

• ParameterManagerParameterVersion

  • Manage Parameter Manager parameter versions which allows you to manage regional parameters.

Bug Fixes:

• SQLInstance Fixed an issue where settings.dataCacheConfig was incorrectly detected as different when dataCacheEnabled was false.
• SQLInstance Updated matching functions to treat nil values in KRM as equivalent to empty or default objects in GCP, preventing unnecessary re-reconciliation loops.
• TagKey/TagValue Handle ALREADY_EXISTS error in TagKey and TagValue controllers by acquiring the existing resource.
• BigQueryAnalyticsHubDataExchange Added structured reporting diff to improve visibility into resource changes and fixed reconciliation logic errors.
• CloudBuildTrigger Restored missing descriptions in the CRD.
• RunService Fixed a typo in environment variable values in samples and test fixtures.

New features:

• MultiClusterLeaseSpec now supports integration with a syncer for KRM objects. This will help KCC take ownership of resources with service generated IDs.
• kompanion Added a Model Context Protocol (MCP) server to the kompanion tool to enable AI IDEs and assistants to interact with KCC resources.
• Config Connector controllers Added a --skip-name-validation flag to bypass duplicate controller name checks during registration, facilitating integration tests and multi-manager scenarios.

Documentation:

• Added a comprehensive guide for controller configuration, detailing Direct, Terraform, and DCL controllers, including precedence rules and overrides.
• Added documentation for enabling VerticalPodAutoscaler (VPA) for Config Connector pods using ControllerResource and NamespacedControllerResource.
• Added documentation for the config-connector CLI and specifically for the preview command.

v1.147.1: Release 1.147.1

Compare Source

• Special shout-outs to @​acpana, @​anhdle-sso, @​barney-s, @​cheftako, @​dhavalbhensdadiya-crest, @​fkc1e100, @​gemmahou, @​justinsb, @​katrielt, @​maqiuyujoyce, and @​xiaoweim for their contributions to this release.

New Alpha Resources (Direct Reconciler)

• CloudDeployCustomTargetType
  • The DeployCustomTargetType (v1alpha1) resource is no longer supported and has been replaced by the new CloudDeployCustomTargetType (v1alpha1) resource. Please remove any instances of the DeployCustomTargetType resource.

Reconciliation Improvements

• Improved structured reporting diffs to provide better visibility into what changed during reconciliation for the following resources:
  • BigQueryDataset
  • BigQueryReservationAssignment
  • BigQueryTable
  • CertificateManagerDNSAuthorization
  • CloudIdentityGroup
  • DataformRepository
  • MetastoreService
  • PrivilegedAccessManagerEntitlement
  • WorkflowsWorkflow

New features

• Enhanced config-connector preview to support side-by-side comparison between default and alternative controllers.
• Added a --skip-name-validation flag to Config Connector controllers to bypass duplicate controller name checks during registration.

Bug Fixes

• Added CRD filtering for the preview recorder to skip non-CNRM objects.

v1.147.0

Compare Source

v1.146.0: Release 1.146.0

Compare Source

• Special shout-outs to @​acpana, @​anhdle-sso, @​cheftako, @​dhavalbhensdadiya-crest, @​dk-nc, @​gemmahou, @​himanikh, @​justinsb, @​katrielt, @​maqiuyujoyce, @​xiaoweim, and @​yuwenma for their contributions to this release.

New Alpha Resources (Direct Reconciler):

• ParameterManagerParameter
  • Manage Parameter Manager Parameters.

New Fields:

• ContainerCluster
  • Added spec.controlPlaneEndpointsConfig.dnsEndpointConfig.enableK8sTokensViaDns field.

Improvements:

• ContainerCluster

  • Made spec.clusterAutoscaling.autoProvisioningDefaults.bootDiskKMSKeyRef mutable.

• NetworkServicesWasmPlugin

  • Introduced identity and reference.

• Added structured reporting diff to numerous direct controllers to enhance diff visibility.

Bug Fixes:

• SQLInstance

  • Added client-side default for RetainedBackups and RetentionUnit, and validated the edition field.
  • Added replicaConfiguration as an unmanageable field.
  • Controller now correctly defaults the field enablePrivatePathForGoogleCloudServices to false.

• CertificateManagerDnsAuthorization

  • Sanitized Kubernetes labels to avoid 400 errors from invalid characters.

• ConfigConnector Core

  • preview now performs an early exit when no resources are found to reconcile.
  • Fixed CRD field description for shared parent.
  • Fixed incorrect exit status in lint filter.
  • Updated mockgcp to improve compute regional resource mocks and defaults.

v1.145.0: Release 1.145.0

Compare Source

• Special shout-outs to @​acpana, @​anhdle-sso, @​cheftako, @​dhavalbhensdadiya-crest, @​eugenenuke, @​gemmahou, @​iamkonohamaru, @​justinsb, @​katrielt, @​maqiuyujoyce, @​xiaoweim, @​yuwenma for their contributions to this release.

New Beta Resources (Direct Reconciler):

• ComputeSecurityPolicy
  • Manage Google Cloud Armor security policies.

New Fields:

• ContainerCluster

  • Added spec.clusterAutoscaling.defaultComputeClassConfig field.

• RunJob

  • Added spec.template.template.volumes.nfs field to support NFS backed Volumes.
  • Added spec.template.template.volumes.gcs field to support GCS backed Volumes.

• SQLInstance

  • Added spec.settings.failoverDrReplicaRef field to support designating CloudSQL Enterprise Plus DR Replicas.

Improvements

We have added support for structured diff reporting to the following direct controllers to improve logging and debugging:

• ApigeeEnvgroup
• ApigeeInstance
• AssetFeed
• AssetSavedQuery
• BackupVaultIdentity
• BigtableLogicalView
• CloudDeployDeliveryPipeline
• ColabRuntime
• RedisCluster
• SpannerBackupSchedule
• SpannerInstance
• SpannerInstanceConfig
• TaskQueue
• WorkstationConfig

New features:

• Added the preview command to the config-connector CLI. The preview command has been removed from the experimental kompanion tool.

New Beta Resources (Direct Reconciler):

• MemorystoreInstance to manage Memorystore for Valkey Instances

Bug Fixes:

• DataformRepository

  • Fixed a bug where the serviceAccountRef field could not be updated.

• SpannerBackupSchedule

  • Fixed an issue with invalid update masks by handling output-only fields.

v1.144.0: Release 1.144.0

Compare Source

⚠️ CRITICAL: DO NOT USE THIS RELEASE ⚠️
v1.144.0 has been identified as a BAD RELEASE.

We have identified critical issues in this version that may impact the stability of your managed resources. We strongly advise all customers to skip this version and wait for a subsequent release (v1.145.0).

• Special shout-outs to @​acpana, @​anhdle-sso, @​cheftako, @​codebot-robot, @​himanikh, @​justinsb, @​katrielt, @​xiaoweim, @​yuwenma for their contributions to this release.

New Beta Resources (Direct Reconciler):

• TagsLocationTagBinding
  • TagsLocationTagBinding is promoted to beta and now uses the direct reconciler by default.
  • Supports tagging of regional resources, including ArtifactRegistryRepository, CloudRun (RunJob, RunService), BigQueryDataset, BigQueryTable, and StorageBucket.
  • spec.location should be set to the region of the resource being tagged.

Reconciliation Improvements

• TagsLocationTagBinding
  • Switched to direct reconciliation as the default reconciler.

Bug Fixes:

• Fixed spurious diffs in TagsLocationTagBinding caused by project number vs. project ID mismatches.

v1.143.0: Release 1.143.0

Compare Source

Release Notes 1.143.0

• Special shout-outs to @​acpana, @​anhdle-sso, @​cheftako, @​dhavalbhensdadiya-crest, @​gemmahou, @​himanikh, @​justinsb, @​kjasnoor0305, @​maqiuyujoyce, @​nancynh, @​xiaoweim, @​yuwenma for their contributions to this release.

New Beta Resources (Direct Reconciler)

• ArtifactRegistryRepository
• LoggingLink
• MemorystoreInstance
• PrivateCACAPool

New Alpha Resources (Direct Reconciler)

• ParameterManagerParameter

New Fields

• AlloyDBInstance
  • Added spec.connectionPoolConfig field.
  • Added status.connectionPoolConfig field.

Reconciliation Improvements

• TagsTagBinding

  • Added support for organizations in parentRef.
  • Added support for multiple targets in parentRef.

• Resource References (refs.Ref) support added for the following resources to improve reference resolution:

  • BigQueryTable
  • BigQueryDataset
  • CloudRunService
  • CloudRunJob
  • ArtifactRegistryRepository
  • StorageBucket

• Added structured diff reporting for the following Direct Reconciler resources:

  • Workstation
  • NotebookInstance
  • BackupPolicy
  • ManagedKafkaTopic
  • ManagedKafkaCluster
  • DataprocBatch
  • ComposerEnvironment
  • CloudBuildWorkerPool
  • BigtableMaterializedView
  • AppProfileIdentity

New features

• Set GOMEMLIMIT for KCC workloads to improve memory management and stability.

Bug Fixes

• Fixed a race condition in kccmanager.
• Issue 6221: ComputeBackendService can now correctly refer to clientTLSPolicy.
• Issue 6156: BigQueryTable now ignores int64 to int32 schema changes when configured.
• Issue 6026: Fixed identity parsing for TagsTagValue.

v1.142.0: Release 1.142.0

Compare Source

• Special shout-outs to @​acpana, @​anhdle-sso, @​cheftako, @​gemmahou, @​himanikh, @​justinsb, @​maqiuyujoyce, @​vkanishk15, @​xiaoweim, @​yuwenma for their contributions to this release.

New Beta Resources (Direct Reconciler):

• AlloyDBBackup
• AccessContextManagerAccessLevel

New Fields:

• AlloyDBInstance: Added spec.observabilityConfig and spec.queryInsightsConfig fields.
• ContainerNodePool: Added spec.nodeConfig.enableNestedVirtualization field.

Reconciliation Improvements

We have added support for direct reconciliation to more resources, with opt-in
behaviour. The API is unchanged. To use the direct reconciler, add the
alpha.cnrm.cloud.google.com/reconciler: direct annotation to the corresponding
Config Connector object. The following resources now have direct reconciliation
support (and we list some of the issues that this fixes):

• TagsLocationTagBinding: Now supports direct reconciliation.

New features:

• IAM: Add support for iam.cnrm.cloud.google.com/disable-dependent-services annotation.
• Added support for Cilium cluster-wide network policy.

Bug Fixes:

• BatchJob: Fixed a bug where the resource could not be created.
• FirewallPolicyRule: Fixed an issue with updating the resource.
• IAMServiceAccountKey: Fixed a bug that caused re-reconciliation.
• Fixed a bug where ComputeBackendService could not refer to clientTLSPolicy due to an invalid format.
• Fixed a bug where interconnect attachments were not ignored.
• Fixed a bug in the GitHub MCP server.
• Fixed a bug in the private cluster endpoint for mockgcp.

v1.141.0: Release 1.141.0

Compare Source

• Special shout-outs to @​acpana, @​anhdle-sso, @​cheftako, @​gemmahou, @​GraceAtwood, @​justinsb, @​katrielt, @​maqiuyujoyce, @​marqc, @​nancynh, @​xiaoweim, and @​yuwenma for their contributions to this release.

New features:

• Enabled Vertical Pod Autoscaler (VPA) support for Config Connector controllers.
  • Added verticalPodAutoscalerMode field to ConfigConnector and ConfigConnectorContext resources.

New Fields:

• RunJob

  • Added spec.template.spec.containers[].port field.

• DataplexTask

  • Replaced project with projectRef.
  • Replaced serviceAccount with serviceAccountRef.
  • Replaced kmsKey with kmsKeyRef.

Bug Fixes:

• Fixed various issues in observedState handling for resources with reference fields.
• Fixed an issue where IAMPolicy and IAMPartialPolicy controllers would alphabetize the members field within the resource spec and write it back. This behavior can conflict with intent-based reconciliation from GitOps systems such as Config Sync, causing a loop of updates and potentially exhausting IAM read quotas.

v1.140.2: Release 1.140.2

Compare Source

• Special shout-outs to @​acpana, @​cheftako and @​xiaoweim for their contributions to this release.

Bug Fixes:

• Fixed a bug where the IAMPolicy and IAMPartialPolicy controllers would alphabetize the members field within the resource spec and write it back. This behavior can conflict with intent-based reconciliation from GitOps systems such as Config Sync, causing a loop of updates and potentially exhausting IAM read quotas. This issue affected versions 1.140.0 and has now been patched in version 1.140.2.
• Fixed the version inconsistency between Custom Resource Definitions (CRDs) and KCC operator in 1.140.1.

v1.140.1: Release 1.140.1

Compare Source

• Special shout-outs to @​acpana, @​cheftako and @​xiaoweim for their contributions to this release.

Bug Fixes:

• Fixed a bug where the IAMPolicy and IAMPartialPolicy controllers would alphabetize the members field within the resource spec and write it back. This behavior can conflict with intent-based reconciliation from GitOps systems such as Config Sync, causing a loop of updates and potentially exhausting IAM read quotas. This issue affected versions 1.140.0 and has now been patched in version 1.140.1.

Note on CRD Versions:

• Please be aware that while this patch release is version 1.140.1, the included Custom Resource Definitions (CRDs) are version 1.140.0. This is a known issue. However, since the changes in this patch are limited to the controller's logic and do not alter the CRD schemas, this version mismatch is not expected to cause any functional issues. KCC is designed to be backward compatible with previous patch versions of CRDs.

v1.140.0: Release 1.140.0

Compare Source

• Special shout-outs to @​600lyy, @​acpana, @​cheftako, @​gemmahou, @​justinsb, @​katrielt, @​maqiuyujoyce, @​shavonz, @​xiaoweim, and @​yuwenma for their contributions to this release.

New Beta Resources (Direct Reconciler):

• CertificateManagerCertificateIssuanceConfig
  • Manage Certificate Manager certificate issuance configurations for automating certificate issuance.

New Alpha Resources (Direct Reconciler):

• AssuredWorkloadsWorkload
  • Manage Assured Workloads workloads to support compliance and security requirements.
• ConfigDeliveryResourceBundle
  • Manage Config Delivery resource bundles for Anthos Config Management.

New Fields:

• AlloyDBCluster
  • Added spec.restoreContinuousBackupSource and spec.restoreBackupSource fields to support restoring from a backup.
• BigQueryReservationAssignment
  • Added spec.jobType field.
• FirestoreDatabase
  • Added spec.deleteProtectionState field.
• FirestoreField
  • Added spec.ttlConfig field.
• RunJob
  • Added spec.template.template.containers.dependsOn field.

Reconciliation Improvements

• Integrated Multi-Cluster Leader Election for improved reliability in multi-cluster setups.
• Added mock GCP support for BigtableGCPolicy, SourceRepo, MonitoringDashboard, and NetworkServices gateways to improve testing.

Bug Fixes:

• Fixed an issue where BigQueryReservationAssignment was not exposing externalRef.
• Fixed an issue with CertificateManagerDNSAuthorization API, Fuzzer and Mapper.
• Fixed an issue with FirestoreDatabase defaulting logic.

v1.139.1: Release 1.139.1

Compare Source

• Special shout-outs to @​acpana, @​cheftako and @​xiaoweim for their contributions to this release.

Bug Fixes:

• Fixed a bug where the IAMPolicy and IAMPartialPolicy controllers would alphabetize the members field within the resource spec and write it back. This behavior can conflict with intent-based reconciliation from GitOps systems such as Config Sync, causing a loop of updates and potentially exhausting IAM read quotas. This issue affected versions 1.139.0 and has now been patched in version 1.139.1.

Note on CRD Versions:

• Please be aware that while this patch release is version 1.139.1, the included Custom Resource Definitions (CRDs) are version 1.139.0. This is a known issue. However, since the changes in this patch are limited to the controller's logic and do not alter the CRD schemas, this version mismatch is not expected to cause any functional issues. KCC is designed to be backward compatible with previous patch versions of CRDs.

v1.139.0: Release 1.139.0

Compare Source

• Special shout-outs to @​anhdle-sso, @​gemmahou, @​justinsb, @​maqiuyujoyce, @​shavonz, @​xiaoweim, @​yuwenma for their contributions to this release.

New Alpha Resources (Direct Reconciler):

• FirestoreField

Reconciliation Improvements

• IAM partial policy management: Now supports direct reconciliation.

New features:

• The controller type is now reported at the start and end of reconciliation.
• Mockgcp now supports iap oauth brands and bigtable materializedview.

Bug Fixes:

• Reduces the memory footprint of the recorder.
• SQLInstance: Fixes an issue where empty maintenanceVersion patches were sent. The settings and maintenanceVersion fields are now unmanaged.
• FirestoreDatabase: Fixes boolean value exports.

v1.138.1: Release 1.138.1

Compare Source

• Special shout-outs to @​acpana, @​cheftako and @​xiaoweim for their contributions to this release.

Bug Fixes:

• Fixed a bug where the IAMPolicy and IAMPartialPolicy controllers would alphabetize the members field within the resource spec and write it back. This behavior can conflict with intent-based reconciliation from GitOps systems such as Config Sync, causing a loop of updates and potentially exhausting IAM read quotas. This issue affected versions 1.138.0 and has now been patched in version 1.138.1.

Note on CRD Versions:

• Please be aware that while this patch release is version 1.138.1, the included Custom Resource Definitions (CRDs) are version 1.138.0. This is a known issue. However, since the changes in this patch are limited to the controller's logic and do not alter the CRD schemas, this version mismatch is not expected to cause any functional issues. KCC is designed to be backward compatible with previous patch versions of CRDs.

v1.138.0

Compare Source

Release 1.138.0

• Special shout-outs to @​acpana, @​anhdle-sso, @​gemmahou, @​justinsb, @​maqiuyujoyce, @​xiaoweim, @​yuwenma for their contributions to this release.

New Beta Resources (Direct Reconciler):

• BackupDRBackupVault
• OrgPolicyCustomConstraint

New Alpha Resources (Direct Reconciler):

• FirestoreBackupSchedule
• FirestoreDocument

Reconciliation Improvements:

• Improved Normalization logic for OrgPolicy, RunJob, TagsTagBinding, and VertexAIIndex resources.

New features:

• Support export for RunJob and FirestoreDatabase.

Bug Fixes:

• Fixed format validation issue in the DataflowFlexTemplateJob direct controller when the
  spec.subnetworkRef.external field contains full URL. (#​5268)
• Updated status.observedGeneration in ConfigConnector object. (#​5507)

v1.137.1: Release 1.137.1

Compare Source

• Special shout-outs to @​acpana, @​cheftako and @​xiaoweim for their contributions to this release.

Bug Fixes:

• Fixed a bug where the IAMPolicy and IAMPartialPolicy controllers would alphabetize the members field within the resource spec and write it back. This behavior can conflict with intent-based reconciliation from GitOps systems such as Config Sync, causing a loop of updates and potentially exhausting IAM read quotas. This issue affected versions 1.137.0 and has now been patched in version 1.137.1.

---

Configuration

📅 Schedule: (in timezone Europe/Paris)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

• 🔍 Trigger a full review

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}