Unable to create CertificateManagerDNSAuthorization if resource has KRM-style label

[andyyaldoo]

Checklist

• I did not find a related open issue.
• I did not find a solution in the troubleshooting guide: (https://cloud.google.com/config-connector/docs/troubleshooting)
• If this issue is time-sensitive, I have submitted a corresponding issue with GCP support.

Bug Description

Unable to create/update CertificateManagerDNSAuthorization if the resource contains KRM style label (prefixed with /). Status:

Status:
  Conditions:
    Last Transition Time:  2025-01-07T04:57:35Z
    Message:               Update call failed: error creating: creating DnsAuthorization projects/test-project/locations/global/dnsAuthorizations/auth-com: googleapi: Error 400: resource labels are invalid: key "app.kubernetes.io/managed-by" contains invalid character '.' at index 2
    Reason:                UpdateFailed
    Status:                False
    Type:                  Ready
  Observed Generation:     1

I tried creating another resource (pubsub topic) with same labels, and I was able to successfully create it.
I suspect this is a bug specific to CertificateManagerAPI. According to this, KRM-style label should not be passed to any GCP API

Additional Diagnostic Information

None

Kubernetes Cluster Version

Client Version: v1.31.3 Kustomize Version: v5.4.2 Server Version: v1.30.6-gke.1125000

Config Connector Version

1.126.0

Config Connector Mode

namespaced mode (default)

Log Output

Events:
  Type     Reason        Age                  From                                           Message
  ----     ------        ----                 ----                                           -------
  Warning  UpdateFailed  14s (x7 over 2m22s)  certificatemanagerdnsauthorization-controller  Update call failed: error creating: creating DnsAuthorization projects/test-project/locations/global/dnsAuthorizations/auth-com: googleapi: Error 400: resource labels are invalid: key "app.kubernetes.io/managed-by" contains invalid character '.' at index 2

Steps to reproduce the issue

1. Create Config Controller instance
2. Grant permission
3. Apply the yaml snippets below. The yaml snippet contain 3 resources. 1 CertificateManagerDNSAuthorization with app.kubernetes.io/managed-by label, 1 CertificateManagerDNSAuthorization without that label, and 1 pubsub topic with that label.

The pubsub topic will be created just fine but only one of the CertificateManagerDNSAuthorization will be created. The one that has app.kubernetes.io/managed-by label will have a status of UpdateFailed

YAML snippets

apiVersion: certificatemanager.cnrm.cloud.google.com/v1beta1
kind: CertificateManagerDNSAuthorization
metadata:
  namespace: config-control
  name: auth-com
  labels:
    label-one: "value-one"
    app.kubernetes.io/managed-by: test
spec:
  domain: test.auth.dev
  projectRef:
    external: test-project
---
apiVersion: certificatemanager.cnrm.cloud.google.com/v1beta1
kind: CertificateManagerDNSAuthorization
metadata:
  namespace: config-control
  name: auth-1-com
  labels:
    label-one: "value-one"
spec:
  domain: test-1.auth.dev
  projectRef:
    external: test-project
---
apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
kind: PubSubTopic
metadata:
  annotations:
    cnrm.cloud.google.com/project-id: test-project
  labels:
    label-one: "value-one"
    app.kubernetes.io/managed-by: test
  name: example-topic
  namespace: config-control