ComputeTargetHTTPSProxy should support certificateManagerCertificates without sslCertificates #6788
Description
Description
When creating a ComputeTargetHTTPSProxy resource, Config Connector currently requires the sslCertificates field to be populated. However, Google Cloud Load Balancing supports using Certificate Manager certificates (certificateManagerCertificates) as an alternative to the classic SSL certificates.
Attempting to create a ComputeTargetHTTPSProxy with only certificateManagerCertificates results in an error, effectively blocking the usage of Certificate Manager with KCC for this resource type unless a dummy SSL certificate is additionally provided.
Reproduction
Apply the following YAML:
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeTargetHTTPSProxy
metadata:
name: test-https-proxy
spec:
urlMapRef:
name: test-urlmap
location: us-central1
certificateManagerCertificates:
- name: webhook-certError Output
Update call failed: error applying desired state: summary: Error creating RegionTargetHttpsProxy: googleapi: Error 400: Invalid value for field 'resource.sslCertificates': ''. At least 1 SSL certificate must be specified for TargetHttpsProxy creation., invalid
Expected Behavior
The ComputeTargetHTTPSProxy resource should successfully reconcile when certificateManagerCertificates are provided, even if sslCertificates is empty, matching the behavior of gcloud and the underlying GCP API.
Additional Context
This limitation appears to stem from the underlying validation logic (possibly inherited from the Terraform provider version) which enforces sslCertificates as a required field without considering certificateManagerCertificates as a valid alternative.