Controller manager crashes when using the googleAPIsBundle parameter with a ComputeForwardingRule

[rolandkool]

Checklist

• I did not find a related open issue.
• I did not find a solution in the troubleshooting guide: (https://cloud.google.com/config-connector/docs/troubleshooting)
• If this issue is time-sensitive, I have submitted a corresponding issue with GCP support.

Bug Description

With Config Connector version 1.125, the first version to support the googleAPIsBundle parameter on a ComputeForwardingRule resource, the controller manager crashes.

Additional Diagnostic Information

Error from the log:

{"severity":"info","timestamp":"2025-01-14T15:07:28.088Z","msg":"Observed a panic in reconciler: assignment to entry in nil map","controller":"computeforwardingrule-controller","controllerGroup":"compute.cnrm.cloud.google.com","controllerKind":"ComputeForwardingRule","ComputeForwardingRule":{"name":"privategoogleapis","namespace":"somenamespace"},"namespace":"somenamespace","name":"privategoogleapis","reconcileID":"ba9486dc-2e69-47d8-9544-fcf9853ffbc3"}
panic: assignment to entry in nil map [recovered]
panic: assignment to entry in nil map

Kubernetes Cluster Version

1.30

Config Connector Version

1.125.0

Config Connector Mode

cluster mode

Log Output

See Additional Diagnostics

Steps to reproduce the issue

Example resource:

---
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeForwardingRule
metadata:
  name: privategoogleapis
spec:
  ipAddress:
    addressRef:
      name: privategoogleapis
  location: global
  target:
    googleAPIsBundle: all-apis

YAML snippets

apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeForwardingRule
metadata:
  name: privategoogleapis
spec:
  ipAddress:
    addressRef:
      name: privategoogleapis
  location: global
  target:
    googleAPIsBundle: all-apis

[gemmahou]

For Private Service Connect forwarding rules that forward traffic to Google APIs, a network must be provided. Additionally, the loadBalancingScheme field need to be explicitly set to ""(empty string), to avoid the default value of "EXTERNAL".
Here's my working configuration:

apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeForwardingRule
metadata:
  name: rule0219
spec:
  description: "A global forwarding rule"
  location: global
  target:
    # a supported Google APIs bundle (global-only)
    googleAPIsBundle: "all-apis"
  loadBalancingScheme: ""
  ipAddress:
    addressRef:
      name: default
  networkRef:
    name: default

I will add sample yaml and the field requirements to our doc.

[gemmahou]

However, it shouldn't cause the controller manager to crash. The resource should transition to an error state.
For instance:

yuhou@yuhoulocal:~/go/src/github.com/yuhou/k8s-config-connector$ kubectl create -f create.yaml
computeforwardingrule.compute.cnrm.cloud.google.com/rule0219 created
yuhou@yuhoulocal:~/go/src/github.com/yuhou/k8s-config-connector$ kubectl get ComputeForwardingRule rule0219
NAME       AGE   READY   STATUS         STATUS AGE
rule0219   28s   False   UpdateFailed   27s

Events:
  Type     Reason        Age                   From                              Message
  ----     ------        ----                  ----                              -------
  Warning  UpdateFailed  9m8s (x5 over 9m40s)  computeforwardingrule-controller  Update call failed: error creating: creating ComputeForwardingRule projects/project-yuhou/global/forwardingRules/rule0219: googleapi: Error 400: Invalid value for field 'resource.loadBalancingScheme': 'EXTERNAL'. Invalid field set in Private Service Connect Forwarding Rule. This field should not be set.

I'll take a deeper look on the panic.