Improved SecretManagerSecretVersion and ResourceID

[yuwenma]

Description

Config Connector now offers an improved way to manage SecretManagerSecretVersion resources with a focus on GitOps compatibility and adherence to Kubernetes API conventions. This new approach is driven by the direct controller and introduces the following changes:

• Service-generated ID in status: The service-generated ID is now stored in status.version instead of spec.resourceID.
• Resource Identity Guardrail: status.externalRef is used to ensure resource identity.
• No spec Modification: The direct controller does not modify the spec, aligning with GitOps principles.

Why This Change?

This approach addresses inconsistencies with GitOps workflows and deviations from Kubernetes API conventions present in the Terraform-based reconciler. By moving the service-generated ID to the status field and utilizing status.externalRef, we ensure a cleaner separation of user-defined values and system-generated values.

Try It Out and Share Your Feedback!

This improved handling of SecretManagerSecretVersion is currently available with the direct controller. To enable it, set the cnrm.cnrm.io/reconciler=direct annotation on your SecretManagerSecretVersion resources.

We believe this change enhances Config Connector's functionality and usability. However, we value your input and would love to hear your feedback on this new approach. Please share your thoughts and experiences in this issue. Your feedback will help us determine if this should become the default behavior in the future.

Key Benefits

• Enhanced GitOps Compatibility: Eliminates conflicts with GitOps workflows.
• Kubernetes API Conformance: Ensures consistency with Kubernetes API conventions.
• Consistent User Experience: Provides a more predictable and intuitive experience.