Allow API Modification of spec.override.reconcileTimeout in Config Sync RootSync Objects Managed by GKE Hub

[dragosandrei-rgb]

Checklist

• I did not find a related open enhancement request.
• I understand that enhancement requests filed in the GitHub repository are by default low priority.
• If this request is time-sensitive, I have submitted a corresponding issue with GCP support.

Describe the feature

encountering KNV2009 errors ("dependency apply reconcile timeout") in the Config Sync setup, while using Config Sync to manage their clusters via GKE Hub. To address these timeouts, it’s required to increase the spec.override.reconcileTimeout value within the RootSync object.

While documentation suggests this field can be modified using kubectl, the customer states that because the RootSync object is managed by GKE Hub, any manual changes made via kubectl are reverted. Thus, a more sustainable and automated method to modify this timeout is needed, specifically through an API, as manual kubectl edits are not feasible for their production environment.

GKE Cluster Mode: Standard

Troubleshooting Steps:

1. tried modifying spec.override.reconcileTimeout in the RootSync object.
2. these changes were reverted because the RootSync object is managed by GKE Hub.
3. tried using kubectl to modify the field, as per documentation [1].
4. It was confirmed that while kubectl can modify the field, it is not a sustainable solution for their environment, and it’s need an API-based approach.
5. Further review confirmed that currently, there is no automated way to manage spec.override.reconcileTimeout other than manual edits via kubectl.

Relevant Logs/Information:

• Observed error message: "New sync errors for RootSync config-management-system/root-sync: [{Code:2009 ErrorMessage:KNV2009: skipped apply of GKEHubFeatureMembership.gke****.com, $projectID/$cluster-name: dependency apply reconcile timeout: $projectID_$cluster-name_gkehub.cnrm.cloud.google.com_GKEHubMembership\n\n[1] KNV2009: skipped apply of GKEHubFeatureMembership.gke****.com, $projectID/$cluster-name: dependency apply reconcile timeout: $projectID_$cluster-name_gkehub.cnrm.cloud.google.com_GKEHubMembership For more information, see https://g.co/cloud/acm-errors#knv2009 \n"

• Reference documentation on reconcileTimeout: "https://docs.cloud.google.com/kubernetes-engine/enterprise/config-sync/docs/reference/rootsync-reposync-fields#reconcile-timeout"
  https://docs.cloud.google.com/kubernetes-engine/enterprise/config-sync/docs/reference/rootsync-reposync-fields#reconcile-timeout

• Documentation on configuring Config Sync with kubectl: https://docs.cloud.google.com/kubernetes-engine/enterprise/config-sync/docs/how-to/configure-config-sync-kubectl#

Importance

Impact:
The inability to programmatically adjust the reconcile timeout is hindering the ability to manage Config Sync effectively, impacting the production environment.

Current Status:
Since the manual kubectl edits are not a viable long-term solution, a feature request was suggested to allow API-based modification of spec.override.reconcileTimeout.