Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enabling secure boot on an existing nodepool is failing #923

Closed
shako92 opened this issue Jun 7, 2021 · 4 comments · Fixed by #1237
Closed

Enabling secure boot on an existing nodepool is failing #923

shako92 opened this issue Jun 7, 2021 · 4 comments · Fixed by #1237
Labels
Stale

Comments

@shako92
Copy link

shako92 commented Jun 7, 2021

Hello, we tried to enable secure boot on an existing node pool, but its failing.

NP Config: added enable_secure_boot:true

      {
        name = "node-pool"
        machine_type = "n1-standard-8"
        local_ssd_count = 0
        disk_size_gb = 100
        disk_type = "pd-standard"
        image_type = "COS_CONTAINERD"
        auto_repair = true
        auto_upgrade = false
        preemptible = false
        initial_node_count = 1
        min_count = 1
        max_count = 10
        default_max_pods_per_node = 32
        max_surge = 1
        max_unavailable = 0
        version = "1.18.16-gke.502"
        enable_secure_boot = true
      }

PLAN RELATED TO CHANGE:

taint             = [] -> (known after apply)
~ shielded_instance_config {
    enable_integrity_monitoring = true
    ~ enable_secure_boot          = false -> true # forces replacement
}
--

ERROR:

Error: error creating NodePool: googleapi: Error 409: Already exists: projects/PROJECT/locations/us-central1/clusters/CLUSTER/nodePools/NP., alreadyExists

TRIED:

To update file cluster.tf and add in "beta-private-cluster-update-variant/cluster.tf", under force_node_pool_recreation_resources, enable_secure_boot, but this did not help.

Please let me know how we should proceed in here?

Thanks
@shako92
Copy link
Author

shako92 commented Jun 7, 2021

Ideally it should create a new NP, migrate workloads and then shutdown the old one right? Because this operation requires NP recreation

@morgante
Copy link
Contributor

morgante commented Jun 7, 2021

To update file cluster.tf and add in "beta-private-cluster-update-variant/cluster.tf", under force_node_pool_recreation_resources, enable_secure_boot, but this did not help.

What happened when you tried this? I have a feeling the change might not have been properly applied, because the fix here most likely is to put secure boot in the triggers for node pool naming.

@skakauridze-clgx
Copy link

Actually it was still complaining that NodePool exists, I'll try to reran and make sure the latest push was in place and get back

@github-actions
Copy link

github-actions bot commented Aug 6, 2021

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days

@github-actions github-actions bot added the Stale label Aug 6, 2021
@abursavich abursavich mentioned this issue Apr 27, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Stale
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: Create new node pool when shielded_instance_config changes
3 participants
@morgante @shako92 @skakauridze-clgx