Skip to content
GCP Config Connector

Operational Playbook

This playbook covers the full lifecycle of chant-produced Config Connector manifests.

Build & validate

Section titled “Build & validate”
StepCommandWhat it catches
Lint sourcechant lint src/Hardcoded project IDs (WGC001), regions (WGC002), public IAM (WGC003)
Build manifestschant build src/ --output manifests.yamlPost-synth: missing encryption (WGC101), public IAM (WGC102), missing project annotation (WGC103), 14 more checks
Server dry-runkubectl apply -f manifests.yaml --dry-run=serverK8s API validation: CRD schema errors, admission webhooks

Deploy to Kubernetes

Section titled “Deploy to Kubernetes”
Terminal window
# Build
chant build src/ --output manifests.yaml


# Diff before applying
kubectl diff -f manifests.yaml


# Dry run
kubectl apply -f manifests.yaml --dry-run=server


# Apply
kubectl apply -f manifests.yaml

Monitoring reconciliation

Section titled “Monitoring reconciliation”
Terminal window
# List all Config Connector resources
kubectl get gcp -A


# Check specific resource status
kubectl describe storagebuckets.storage.cnrm.cloud.google.com my-bucket


# Watch for status changes
kubectl get gcp -A -w

Troubleshooting

Section titled “Troubleshooting”
StatusMeaningDiagnosticFix
UpToDateResource in syncNone needed
UpdatingApplying changeskubectl describe → EventsWait for completion
UpdateFailedGCP API errorkubectl describe → EventsCheck IAM permissions, quota, API enablement
DependencyNotReadyWaiting for refkubectl get gcpEnsure referenced resource exists and is UpToDate
DeletionFailedCannot deletekubectl describe → EventsCheck IAM permissions, child resource dependencies

Common issues

Section titled “Common issues”
SymptomCauseResolution
Resource stuck in UpdatingMissing GCP APIEnable API: add Service resource or gcloud services enable
Permission deniedService account lacks IAM roleGrant role to Config Connector SA
Resource recreated on every applyMissing deletion-policy annotationAdd cnrm.cloud.google.com/deletion-policy: abandon
Namespace not foundConfigConnectorContext missingCreate ConfigConnectorContext in namespace
Cross-project reference failsMissing project annotationAdd cnrm.cloud.google.com/project-id annotation

Quick reference

Section titled “Quick reference”
CommandDescription
chant build src/Synthesize manifests
chant lint src/Check for anti-patterns
kubectl apply -f manifests.yamlApply to cluster
kubectl get gcp -AList all Config Connector resources
kubectl describe <resource>Check reconciliation status
kubectl delete -f manifests.yamlRemove resources