feat: [gkehub] A new field kubernetes_api_server_version is added to message .google.cloud.gkehub.configmanagement.v1beta.MembershipState (#7534)

* feat: A new field `kubernetes_api_server_version` is added to message `.google.cloud.gkehub.configmanagement.v1beta.MembershipState`
feat: A new field `deployment_overrides` is added to message `.google.cloud.gkehub.configmanagement.v1beta.ConfigSync`
feat: A new message `DeploymentOverride` is added
feat: A new message `ContainerOverride` is added
feat: The `management` field is deprecated.
docs: clarify field behavior for GKE Hub "configmanagement" Feature

Clients can now override resource requests and limits for Config Sync components. See https://docs.cloud.google.com/kubernetes-engine/config-sync/docs/how-to/installing-config-sync#override.

PiperOrigin-RevId: 879849424

Source-Link: googleapis/googleapis@8f70147

Source-Link: googleapis/googleapis-gen@c8c8447
Copy-Tag: eyJwIjoicGFja2FnZXMvZ29vZ2xlLWNsb3VkLWdrZWh1Yi8uT3dsQm90LnlhbWwiLCJoIjoiYzhjODQ0NzQ3ZjBkNzg1ZWZhOGRhMWQ2YTdhMWFkNzIwMzY2MjAwYiJ9

* 🦉 Updates from OwlBot post-processor

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

---------

Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
Co-authored-by: Santiago Quiroga <22756465+quirogas@users.noreply.github.com>
Co-authored-by: Gabe Pearhill <86282859+pearigee@users.noreply.github.com>

Author: 3 people

packages/google-cloud-gkehub/protos/google/cloud/gkehub/v1beta/configmanagement/configmanagement.proto

@@ -1,4 +1,4 @@
-// Copyright 2025 Google LLC
+// Copyright 2026 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -75,6 +75,10 @@ message MembershipState {
   // Output only. Hierarchy Controller status
   HierarchyControllerState hierarchy_controller_state = 7
       [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Output only. The Kubernetes API server version of the cluster.
+  string kubernetes_api_server_version = 8
+      [(google.api.field_behavior) = OUTPUT_ONLY];
 }
 
 // **Anthos Config Management**: Configuration for a single cluster.
@@ -101,8 +105,8 @@ message MembershipSpec {
   PolicyController policy_controller = 2
       [deprecated = true, (google.api.field_behavior) = OPTIONAL];
 
-  // Optional. Binauthz conifguration for the cluster. Deprecated: This field
-  // will be ignored and should not be set.
+  // Optional. Deprecated: Binauthz configuration will be ignored and should not
+  // be set.
   BinauthzConfig binauthz = 3
       [deprecated = true, (google.api.field_behavior) = OPTIONAL];
 
@@ -113,43 +117,53 @@ message MembershipSpec {
   HierarchyControllerConfig hierarchy_controller = 4
       [deprecated = true, (google.api.field_behavior) = OPTIONAL];
 
-  // Optional. Version of ACM installed.
+  // Optional. Version of Config Sync to install. Defaults to the latest
+  // supported Config Sync version if the config_sync field is enabled. See
+  // supported versions at
+  // https://cloud.google.com/kubernetes-engine/config-sync/docs/get-support-config-sync#version_support_policy.
   string version = 10 [(google.api.field_behavior) = OPTIONAL];
 
-  // Optional. The user-specified cluster name used by Config Sync
-  // cluster-name-selector annotation or ClusterSelector, for applying configs
-  // to only a subset of clusters. Omit this field if the cluster's fleet
-  // membership name is used by Config Sync cluster-name-selector annotation or
-  // ClusterSelector. Set this field if a name different from the cluster's
-  // fleet membership name is used by Config Sync cluster-name-selector
-  // annotation or ClusterSelector.
+  // Optional. User-specified cluster name used by the Config Sync
+  // cluster-name-selector annotation or ClusterSelector object, for applying
+  // configs to only a subset of clusters. Read more about the
+  // cluster-name-selector annotation and ClusterSelector object at
+  // https://docs.cloud.google.com/kubernetes-engine/config-sync/docs/how-to/cluster-scoped-objects#limiting-configs.
+  // Only set this field if a name different from the cluster's fleet membership
+  // name is used by the Config Sync cluster-name-selector annotation or
+  // ClusterSelector.
   string cluster = 11 [(google.api.field_behavior) = OPTIONAL];
 
-  // Optional. Enables automatic Feature management.
-  Management management = 12 [(google.api.field_behavior) = OPTIONAL];
+  // Optional. Deprecated: From version 1.21.0, automatic Feature management is
+  // unavailable, and Config Sync only supports manual upgrades.
+  Management management = 12
+      [deprecated = true, (google.api.field_behavior) = OPTIONAL];
 }
 
 // Configuration for Config Sync
 message ConfigSync {
   // Optional. Git repo configuration for the cluster.
   GitConfig git = 7 [(google.api.field_behavior) = OPTIONAL];
 
-  // Optional. Specifies whether the Config Sync Repo is
-  // in "hierarchical" or "unstructured" mode.
+  // Optional. Specifies whether the Config Sync repo is in `hierarchical` or
+  // `unstructured` mode. Defaults to `hierarchical`. See
+  // https://docs.cloud.google.com/kubernetes-engine/config-sync/docs/concepts/configs#organize-configs
+  // for an explanation.
   string source_format = 8 [(google.api.field_behavior) = OPTIONAL];
 
-  // Optional. Enables the installation of ConfigSync.
-  // If set to true, ConfigSync resources will be created and the other
-  // ConfigSync fields will be applied if exist.
-  // If set to false, all other ConfigSync fields will be ignored, ConfigSync
-  // resources will be deleted.
-  // If omitted, ConfigSync resources will be managed depends on the presence
-  // of the git or oci field.
+  // Optional. Enables the installation of Config Sync.
+  // If set to true, the Feature will manage Config Sync resources,
+  // and apply the other ConfigSync fields if they exist.
+  // If set to false, the Feature will ignore all other ConfigSync fields and
+  // delete the Config Sync resources.
+  // If omitted, ConfigSync is considered enabled if the git or oci field is
+  // present.
   optional bool enabled = 10 [(google.api.field_behavior) = OPTIONAL];
 
   // Optional. Set to true to enable the Config Sync admission webhook to
-  // prevent drifts. If set to `false`, disables the Config Sync admission
-  // webhook and does not prevent drifts.
+  // prevent drifts. If set to false, disables the Config Sync admission webhook
+  // and does not prevent drifts. Defaults to false. See
+  // https://docs.cloud.google.com/kubernetes-engine/config-sync/docs/how-to/prevent-config-drift
+  // for details.
   bool prevent_drift = 11 [(google.api.field_behavior) = OPTIONAL];
 
   // Optional. OCI repo configuration for the cluster
@@ -158,6 +172,56 @@ message ConfigSync {
   // Optional. Set to true to stop syncing configs for a single cluster.
   // Default to false.
   bool stop_syncing = 16 [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. Configuration for deployment overrides.
+  // Applies only to Config Sync deployments with containers that are not a root
+  // or namespace reconciler: `reconciler-manager`, `otel-collector`,
+  // `resource-group-controller-manager`, `admission-webhook`.
+  // To override a root or namespace reconciler, use the rootsync or reposync
+  // fields at
+  // https://docs.cloud.google.com/kubernetes-engine/config-sync/docs/reference/rootsync-reposync-fields#override-resources
+  // instead.
+  repeated DeploymentOverride deployment_overrides = 17
+      [(google.api.field_behavior) = OPTIONAL];
+}
+
+// Configuration for a deployment override.
+message DeploymentOverride {
+  // Required. The name of the deployment resource to be overridden.
+  string deployment_name = 1 [(google.api.field_behavior) = REQUIRED];
+
+  // Required. The namespace of the deployment resource to be overridden.
+  string deployment_namespace = 2 [(google.api.field_behavior) = REQUIRED];
+
+  // Optional. The containers of the deployment resource to be overridden.
+  repeated ContainerOverride containers = 3
+      [(google.api.field_behavior) = OPTIONAL];
+}
+
+// Configuration for a container override.
+message ContainerOverride {
+  // Required. The name of the container.
+  string container_name = 1 [(google.api.field_behavior) = REQUIRED];
+
+  // Optional. The cpu request of the container. Use the following CPU resource
+  // units:
+  // https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#meaning-of-cpu.
+  string cpu_request = 2 [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. The cpu limit of the container. Use the following CPU resource
+  // units:
+  // https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#meaning-of-cpu.
+  string cpu_limit = 3 [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. The memory request of the container. Use the following memory
+  // resource units:
+  // https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#meaning-of-memory.
+  string memory_request = 4 [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. The memory limit of the container. Use the following memory
+  // resource units:
+  // https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#meaning-of-memory.
+  string memory_limit = 5 [(google.api.field_behavior) = OPTIONAL];
 }
 
 // Git repo configuration for a single cluster.
@@ -179,17 +243,18 @@ message GitConfig {
   string sync_rev = 5 [(google.api.field_behavior) = OPTIONAL];
 
   // Required. Type of secret configured for access to the Git repo.
-  // Must be one of ssh, cookiefile, gcenode, token, gcpserviceaccount,
-  // githubapp or none.
+  // Must be one of `ssh`, `cookiefile`, `gcenode`, `token`,
+  // `gcpserviceaccount`, `githubapp` or `none`.
   // The validation of this is case-sensitive.
   string secret_type = 6 [(google.api.field_behavior) = REQUIRED];
 
   // Optional. URL for the HTTPS proxy to be used when communicating with the
-  // Git repo.
+  // Git repo. Only specify when secret_type is `cookiefile`, `token`, or
+  // `none`.
   string https_proxy = 7 [(google.api.field_behavior) = OPTIONAL];
 
   // Optional. The Google Cloud Service Account Email used for auth when
-  // secret_type is gcpServiceAccount.
+  // secret_type is `gcpserviceaccount`.
   string gcp_service_account_email = 8 [(google.api.field_behavior) = OPTIONAL];
 }
 
@@ -207,12 +272,13 @@ message OciConfig {
   int64 sync_wait_secs = 3 [(google.api.field_behavior) = OPTIONAL];
 
   // Required. Type of secret configured for access to the OCI repo.
-  // Must be one of gcenode, gcpserviceaccount, k8sserviceaccount or none.
+  // Must be one of `gcenode`, `gcpserviceaccount`, `k8sserviceaccount` or
+  // `none`.
   // The validation of this is case-sensitive.
   string secret_type = 4 [(google.api.field_behavior) = REQUIRED];
 
   // Optional. The Google Cloud Service Account Email used for auth when
-  // secret_type is gcpServiceAccount.
+  // secret_type is `gcpserviceaccount`.
   string gcp_service_account_email = 5 [(google.api.field_behavior) = OPTIONAL];
 }