Checklist

• I did not find a related open issue.
• I did not find a solution in the troubleshooting guide:
  https://cloud.google.com/config-connector/docs/troubleshooting
• If this issue is time-sensitive, I have submitted a corresponding issue with GCP
  support.

Bug Description

When creating a RedisInstance with read replicas enabled and secondaryIpRange specified in a Shared
VPC architecture, the secondaryIpRange is not applied during the initial instance creation. GCP
auto-assigns read replica IPs from the same range as reservedIpRange instead.

On subsequent reconciliation attempts, Config Connector tries to set secondaryIpRange via
UpdateInstance, which GCP rejects because this field is immutable after read replicas exist.

Environment Architecture

We are using a Shared VPC setup:

  ┌─────────────────────────────────────────────────────────────┐
  │  Shared VPC Host Project                                    │
  │  ├── VPC Network                                            │
  │  ├── PSA Range 1: 10.x.x.0/21 (primary + HA standby)       │
  │  └── PSA Range 2: 10.y.y.0/21 (read replicas - expected)   │
  └─────────────────────────────────────────────────────────────┘
                                │
                      VPC Peering (PSA)
                                │
  ┌─────────────────────────────────────────────────────────────┐
  │  Service Project                                            │
  │  ├── GKE Cluster (with Config Connector)                   │
  │  └── RedisInstance (created via KCC)                       │
  └─────────────────────────────────────────────────────────────┘
  

• Connect Mode: PRIVATE_SERVICE_ACCESS
• Network Reference: Cross-project reference to host project VPC

Expected Behavior

When creating a RedisInstance with:

• replicaCount: 2
• readReplicasMode: READ_REPLICAS_ENABLED
• reservedIpRange: servicenetworking-googleapis-com-psa-range-1
• secondaryIpRange: servicenetworking-googleapis-com-psa-range-2

The read replicas should use IPs from psa-range-2, not psa-range-1.

Actual Behavior

1. Instance is created successfully with read replicas
2. Primary instance uses IPs from psa-range-1 (correct)
3. Read replicas ALSO use IPs from psa-range-1 (incorrect - should be psa-range-2)
4. Config Connector continuously attempts to "update" secondaryIpRange, resulting in:

Update call failed: error applying desired state: summary: Error updating Instance
"projects//locations//instances/":
googleapi: Error 400: generic::INVALID_ARGUMENT: Secondary IP Range can not be updated on instances that use
read replicas

Additional Diagnostic Information

Config Connector Version

1.137.0

Kubernetes Cluster Version

1.30.x (GKE)

Config Connector Mode

Namespaced mode

RedisInstance YAML

apiVersion: redis.cnrm.cloud.google.com/v1beta1
kind: RedisInstance
metadata:
  name: my-redis-instance
  namespace: my-namespace
  annotations:
    cnrm.cloud.google.com/deletion-policy: delete
    cnrm.cloud.google.com/project-id: my-service-project
    cnrm.cloud.google.com/state-into-spec: absent
spec:
  alternativeLocationId: europe-west4-b
  authEnabled: true
  authorizedNetworkRef:
    external: projects/my-host-project/global/networks/my-vpc-network
  connectMode: PRIVATE_SERVICE_ACCESS
  displayName: My Redis Instance
  locationId: europe-west4-a
  memorySizeGb: 10
  persistenceConfig:
    persistenceMode: RDB
    rdbSnapshotPeriod: TWENTY_FOUR_HOURS
  readReplicasMode: READ_REPLICAS_ENABLED
  redisVersion: REDIS_7_2
  region: europe-west4
  replicaCount: 2
  reservedIpRange: servicenetworking-googleapis-com-psa-range-1
  secondaryIpRange: servicenetworking-googleapis-com-psa-range-2
  tier: STANDARD_HA
  transitEncryptionMode: SERVER_AUTHENTICATION

Logs

status:
  conditions:
    - lastTransitionTime: '2026-02-18T10:17:48Z'
      message: >-
        Update call failed: error applying desired state: summary: Error
        updating Instance
        "projects/my-service-project/locations/europe-west2/instances/cache-s-euw2-a4295305":
        googleapi: Error 400: com.google.apps.framework.request.StatusException:
        <eye3 title='INVALID_ARGUMENT'/> generic::INVALID_ARGUMENT: Secondary IP
        Range can not be updated on instances that use read replicas

        Details:

        [
          {
            "@type": "type.googleapis.com/google.rpc.BadRequest",
            "fieldViolations": [
              {
                "description": "Invalid value: servicenetworking-googleapis-com-psa-range-2",
                "field": "instance.secondary_ip_range"
              }
            ]
          }
        ]
      reason: UpdateFailed
      status: 'False'
      type: Ready

Evidence

PSA Ranges Configured in Host Project
NAME: servicenetworking-googleapis-com-psa-range-1
ADDRESS/RANGE: 10.x.x.0/21
TYPE: INTERNAL
PURPOSE: VPC_PEERING
NETWORK: my-vpc
STATUS: RESERVED
────────────────────────────────────────
NAME: servicenetworking-googleapis-com-psa-range-2
ADDRESS/RANGE: 10.y.y.0/21
TYPE: INTERNAL
PURPOSE: VPC_PEERING
NETWORK: my-vpc
STATUS: RESERVED
Actual Instance IPs (from GCP)

  ┌─────────────────────────┬───────────┬──────────────┬─────────────────────────────────┐
  │          Field          │    IP     │ Source Range │             Status              │
  ├─────────────────────────┼───────────┼──────────────┼─────────────────────────────────┤
  │ host (primary)          │ 10.x.x.37 │ psa-range-1  │ ✓ Correct                       │
  ├─────────────────────────┼───────────┼──────────────┼─────────────────────────────────┤
  │ readEndpoint (replicas) │ 10.x.x.38 │ psa-range-1  │ ✗ Wrong - should be psa-range-2 │
  └─────────────────────────┴───────────┴──────────────┴─────────────────────────────────┘
  

GCP Audit Logs

Repeated UpdateInstance calls failing with error code 3 (INVALID_ARGUMENT):

  ┌──────────────────────┬──────────────────────────────────────────────────────┬──────┐
  │      TIMESTAMP       │                     METHOD_NAME                      │ CODE │
  ├──────────────────────┼──────────────────────────────────────────────────────┼──────┤
  │ 2026-02-17T14:05:49Z │ google.cloud.redis.v1beta1.CloudRedis.UpdateInstance │ 3    │
  ├──────────────────────┼──────────────────────────────────────────────────────┼──────┤
  │ 2026-02-17T14:03:49Z │ google.cloud.redis.v1beta1.CloudRedis.UpdateInstance │ 3    │
  ├──────────────────────┼──────────────────────────────────────────────────────┼──────┤
  │ 2026-02-17T14:01:49Z │ google.cloud.redis.v1beta1.CloudRedis.UpdateInstance │ 3    │
  └──────────────────────┴──────────────────────────────────────────────────────┴──────┘
  (repeating every ~2 minutes due to reconciliation)

  

Root Cause Hypothesis

Config Connector appears to NOT include secondaryIpRange in the initial CreateInstance API call. Instead, it
attempts to set this field in a subsequent UpdateInstance call, which fails because:

1. GCP provisions read replicas with auto-assigned IPs during creation
2. secondaryIpRange becomes immutable after read replicas exist
3. Config Connector's reconciliation loop keeps trying to "fix" the drift

Workaround

Removing secondaryIpRange from the spec stops the errors, but this means accepting that read replicas will
share the same IP range as the primary instance, which is not ideal for IP capacity management in
environments with multiple managed services sharing PSA ranges.

Related Issues

• Existing RedisInstances failing to update state due hard requirement on readReplicaMode having value #622 - Similar pattern with readReplicasMode immutability
• Previous fix for reservedIpRange diff detection (may need similar fix for secondaryIpRange)