confidential node pool with INTEL TDX not possible #2418
Description
TL;DR
provisioning a confidential node pool in europe-west-4 with c3-standard-4 machines result in a error because it tries to use confidential_instance_type of SEV. In order to change it to "TDX" we need to add this option to the module here and here
error:
Error: googleapi: Error 400: Confidential nodes feature is not supported for instance type SEV on machine type c3-standard-4.
Expected behavior
Allow to create node pool with "INTEL TDX"
Observed behavior
Only able to select "SEV" ...
Terraform Configuration
module "netherlands_dev_gke" {
source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster"
version = "v38.0.0"
project_id = data.google_client_config.current.project
name = "netherlands-${local.env}"
description = "Netherlands ${local.env} k8s cluster. Used mainly for XXXX ${local.env} tools/apps/jobs"
release_channel = "STABLE"
gateway_api_channel = "CHANNEL_STANDARD"
regional = true
remove_default_node_pool = true
initial_node_count = 1
region = local.tdx_region
zones = data.google_compute_zones.netherlands.names
network = module.dev_vpc.network_name
subnetwork = module.dev_vpc.subnets["${local.tdx_region}/netherlands-01-private"].name
master_ipv4_cidr_block = "10.10.100.0/28"
ip_range_pods = "netherlands-01-private-pods"
ip_range_services = "netherlands-01-private-services"
master_authorized_networks = local.master_authorized_networks
enable_private_nodes = true
enable_confidential_nodes = true
default_max_pods_per_node = 100
http_load_balancing = true #needed for GKE ingress controller and gateway api
network_policy = false
filestore_csi_driver = true #enables EFS
horizontal_pod_autoscaling = true
enable_vertical_pod_autoscaling = false
enable_shielded_nodes = true
gce_pd_csi_driver = true #Allows the use of persistent GCP disks
stateful_ha = false #enhances the availability and reliability of stateful applications
gcs_fuse_csi_driver = false #Allows the use of local SSD disks
maintenance_start_time = "2024-09-16T09:30:00Z" # need to be setup like this. The recurrence will define "when the maintenance happens"
maintenance_end_time = "2024-09-16T13:30:00Z" # need to be setup like this. The recurrence will define "when the maintenance happens"
maintenance_recurrence = "FREQ=WEEKLY;BYDAY=MO,WE,FR"
notification_config_topic = "" # for monitoring purposes at some point
service_account = module.ms_gke_resources.sa_info["gke"].email
create_service_account = false
node_pools = [
{
name = "netherlands-${local.env}-tdx-pool"
machine_type = "c3-standard-4" # 4 Vcpus, 16GB memory
node_locations = "${data.google_compute_zones.netherlands.names[0]},${data.google_compute_zones.netherlands.names[1]},${data.google_compute_zones.netherlands.names[2]}"
total_min_count = 1
total_max_count = 1
cpu_cfs_quota = false
pod_pids_limit = 0
autoscaling = true
enable_private_nodes = true
spot = false
preemptible = false
disk_size_gb = 30
disk_type = "pd-balanced"
logging_variant = "DEFAULT"
auto_repair = true
auto_upgrade = true
enable_secure_boot = true
max_pods_per_node = 100
strategy = "BLUE_GREEN"
max_surge = 1
max_unavailable = 0
location_policy = "BALANCED"
enable_confidential_nodes = true
confidential_instance_type = "TDX"
},
]
node_pools_labels = {
all = local.default_labels
netherlands-dev-tdx-pool = {
default-node-pool = true
}
}
node_pools_resource_labels = {
all = local.default_labels
netherlands-dev-tdx-pool = {
default-node-pool = true
}
}
}Terraform Version
Terraform v1.13.0
on darwin_arm64
+ provider registry.terraform.io/hashicorp/google v6.49.0
+ provider registry.terraform.io/hashicorp/google-beta v6.49.0
+ provider registry.terraform.io/hashicorp/helm v2.15.0
+ provider registry.terraform.io/hashicorp/kubernetes v2.32.0
+ provider registry.terraform.io/hashicorp/null v3.2.4
+ provider registry.terraform.io/hashicorp/random v3.6.3Terraform Provider Versions
Providers required by configuration:
.
├── provider[registry.terraform.io/hashicorp/google] 6.49.0
├── provider[registry.terraform.io/hashicorp/google-beta] 6.49.0
├── provider[registry.terraform.io/hashicorp/kubernetes] 2.32.0
├── provider[registry.terraform.io/hashicorp/helm] 2.15.0
├── provider[registry.terraform.io/hashicorp/null] 3.2.4
├── provider[registry.terraform.io/hashicorp/random] 3.6.3
├── module.pg
│ ├── provider[registry.terraform.io/hashicorp/null] ~> 3.1
│ ├── provider[registry.terraform.io/hashicorp/random] ~> 3.1
│ ├── provider[registry.terraform.io/hashicorp/google] >= 6.1.0, < 7.0.0
│ └── provider[registry.terraform.io/hashicorp/google-beta] >= 6.1.0, < 7.0.0
├── module.storage_buckets_iam_bindings
│ ├── provider[registry.terraform.io/hashicorp/google] >= 3.53.0, < 7.0.0
│ └── module.helper
├── module.dev_vpc
│ ├── provider[registry.terraform.io/hashicorp/google] >= 4.64.0, < 7.0.0
│ ├── provider[registry.terraform.io/hashicorp/google-beta] >= 4.64.0, < 7.0.0
│ ├── module.firewall_rules
│ └── provider[registry.terraform.io/hashicorp/google] >= 3.33.0, < 7.0.0
│ ├── module.routes
│ └── provider[registry.terraform.io/hashicorp/google] >= 3.83.0, < 7.0.0
│ ├── module.subnets
│ └── provider[registry.terraform.io/hashicorp/google] >= 4.25.0, < 7.0.0
│ └── module.vpc
│ ├── provider[registry.terraform.io/hashicorp/google-beta] >= 6.19.0, < 7.0.0
│ └── provider[registry.terraform.io/hashicorp/google] >= 6.19.0, < 7.0.0
├── module.netherlands_dev_gke
│ ├── provider[registry.terraform.io/hashicorp/google] >= 6.42.0, < 7.0.0
│ ├── provider[registry.terraform.io/hashicorp/kubernetes] ~> 2.10
│ └── provider[registry.terraform.io/hashicorp/random] >= 2.1.0
├── module.projects_iam_bindings
│ ├── provider[registry.terraform.io/hashicorp/google] >= 3.53.0, < 7.0.0
│ └── module.helper
├── module.cloud_router_london_private
│ └── provider[registry.terraform.io/hashicorp/google] >= 4.51.0, < 7.0.0
├── module.dev_gke
│ ├── provider[registry.terraform.io/hashicorp/google] >= 6.42.0, < 7.0.0
│ ├── provider[registry.terraform.io/hashicorp/kubernetes] ~> 2.10
│ └── provider[registry.terraform.io/hashicorp/random] >= 2.1.0
├── module.pg_bigquery_datastream_bff
│ └── provider[registry.terraform.io/hashicorp/google] >= 6.27.0
├── module.redis_dev
│ ├── provider[registry.terraform.io/hashicorp/google] >= 4.74.0, < 7.0.0
│ └── module.enable_apis
│ ├── provider[registry.terraform.io/hashicorp/google] >= 3.43.0, < 7.0.0
│ └── provider[registry.terraform.io/hashicorp/google-beta] >= 3.43.0, < 7.0.0
├── module.dev_public_zone
│ ├── provider[registry.terraform.io/hashicorp/google] >= 4.40.0, < 7.0.0
│ └── provider[registry.terraform.io/hashicorp/google-beta] >= 4.40.0, < 7.0.0
└── module.ms_gke_resources
├── provider[registry.terraform.io/hashicorp/google] >= 6.27.0
└── module.this
├── provider[registry.terraform.io/hashicorp/google] >= 3.53.0, < 7.0.0
└── module.helper
Providers required by state:
provider[registry.terraform.io/hashicorp/google]
provider[registry.terraform.io/hashicorp/google-beta]
provider[registry.terraform.io/hashicorp/helm]
provider[registry.terraform.io/hashicorp/kubernetes]
provider[registry.terraform.io/hashicorp/null]
provider[registry.terraform.io/hashicorp/random]Additional information
No response