search

GoogleCloudPlatform / cloud-foundation-fabric

End-to-end modular samples and landing zones toolkit for Terraform on GCP.
Apache License 2.0
1.48k stars 841 forks source link

enable_private_nodes not enabled in nodepool? #1363

Closed szihai closed 1 year ago

szihai commented 1 year ago

I need to add a nodepool to a private gke cluster with shared vpc and private network. The existing nodepool works fine as in the gke module I have specified enable_private_nodes= true. However, when add the additional nodepool, it keeps throwing this error:

│ Error: error creating NodePool: googleapi: Error 400: EnablePrivateNodes must be enabled for private clusters with valid masterIpv4Cidr., badRequest
│
│   with module.gke-nodepool["gke-nodepool/node-pool-1"].google_container_node_pool.nodepool,
│   on .terraform/modules/gke-nodepool/main.tf line 70, in resource "google_container_node_pool" "nodepool":
│   70: resource "google_container_node_pool" "nodepool" {

When looking the plan, it does seem to set enable_private_nodes. 

  + network_config {
          + create_pod_range     = false
          + enable_private_nodes = (known after apply)
          + pod_ipv4_cidr_block  = (known after apply)
          + pod_range            = "xxx-gke-nodes-pods"
        }

But in the nodepool module there is no place for it. Wondering how to get around this issue. Here is my nodepool configuration:

module "gke-nodepool" {
  source                 = "private repo"
  version                = "~> 21.0.0"
  for_each               = local.nodepools
  name                   = "${var.cluster_name_prefix}-${var.environment_code}-${each.value.name}"
  project_id             = var.project_id
  cluster_name           = module.gke.name
 ...
juliocc commented 1 year ago

Looks like you're not creating the cluster as private. Make sure you're setting private_cluster_config correctly in the cluster module (not the nodepool).

szihai commented 1 year ago

Thank you @juliocc. I looked at my cluster configuration. It does set the enable_private_nodes to true. Does it have to disable public endpoint? "private_cluster_config": [ { "enable_private_endpoint": true, "enable_private_nodes": true, "master_global_access_config": [ { "enabled": true } ], "master_ipv4_cidr_block": "10.126.6.128/28", "peering_name": "gke-ndxxx-peer", "private_endpoint": "10.126.6.130", "private_endpoint_subnetwork": "", "public_endpoint": "public ip" } ],

szihai commented 1 year ago

Hi folks, is there any suggestions?

juliocc commented 1 year ago

I'll try to take a look later today

juliocc commented 1 year ago

I tried a few things on my end and couldn't reproduce this. Can you share the code you're using for both the cluster and nodepool?

szihai commented 1 year ago

Here is the GKE module. It was created 6 months ago.

module "gke" {
  source  = "terraform-google-modules/kubernetes-engine/google//modules/beta-private-cluster"
  version = "~> 23.0.0"

 ...
}
szihai commented 1 year ago

The added nodepool code was pasted in earlier comment.

juliocc commented 1 year ago

You're mixing CFT (for the cluster) and Fabric (for the nodepool).

I recommend you either switch the cluster to use the Fabric GKE module or create the nodepool in however way the CFT GKE module recommends. Mixing both is not a good idea.