From f3bc523b17c1827f516d993b59a32e8bb88487f1 Mon Sep 17 00:00:00 2001
From: upodroid <upodroid@users.noreply.github.com>
Date: Sat, 20 Jan 2024 13:41:16 +0000
Subject: [PATCH] fix nlb firewall rules, operations and alias network subnets

---
 pkg/model/gcemodel/firewall.go                           | 2 ++
 .../update_cluster/minimal_gce_dns-none/kubernetes.tf    | 2 +-
 .../update_cluster/minimal_gce_ilb/kubernetes.tf         | 2 +-
 .../minimal_gce_ilb_longclustername/kubernetes.tf        | 2 +-
 .../update_cluster/minimal_gce_plb/kubernetes.tf         | 2 +-
 upup/pkg/fi/cloudup/gce/network.go                       | 4 ++--
 upup/pkg/fi/cloudup/gce/op.go                            | 9 +++++----
 7 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/pkg/model/gcemodel/firewall.go b/pkg/model/gcemodel/firewall.go
index 8fe8f8f19c63c..29e0be8770169 100644
--- a/pkg/model/gcemodel/firewall.go
+++ b/pkg/model/gcemodel/firewall.go
@@ -62,6 +62,8 @@ func (b *FirewallModelBuilder) Build(c *fi.CloudupModelBuilderContext) error {
 				// https://cloud.google.com/load-balancing/docs/health-checks
 				"35.191.0.0/16",
 				"130.211.0.0/22",
+				"209.85.204.0/22",
+				"209.85.152.0/22",
 			},
 			TargetTags: []string{b.GCETagForRole(kops.InstanceGroupRoleControlPlane)},
 			Allowed:    []string{"tcp"},
diff --git a/tests/integration/update_cluster/minimal_gce_dns-none/kubernetes.tf b/tests/integration/update_cluster/minimal_gce_dns-none/kubernetes.tf
index f79d5ad0e3875..efd22959fa7a0 100644
--- a/tests/integration/update_cluster/minimal_gce_dns-none/kubernetes.tf
+++ b/tests/integration/update_cluster/minimal_gce_dns-none/kubernetes.tf
@@ -266,7 +266,7 @@ resource "google_compute_firewall" "lb-health-checks-minimal-gce-example-com" {
   disabled      = false
   name          = "lb-health-checks-minimal-gce-example-com"
   network       = google_compute_network.minimal-gce-example-com.name
-  source_ranges = ["35.191.0.0/16", "130.211.0.0/22"]
+  source_ranges = ["35.191.0.0/16", "130.211.0.0/22", "209.85.204.0/22", "209.85.152.0/22"]
   target_tags   = ["minimal-gce-example-com-k8s-io-role-control-plane"]
 }
 
diff --git a/tests/integration/update_cluster/minimal_gce_ilb/kubernetes.tf b/tests/integration/update_cluster/minimal_gce_ilb/kubernetes.tf
index 6255a7d983b23..70338cfb74538 100644
--- a/tests/integration/update_cluster/minimal_gce_ilb/kubernetes.tf
+++ b/tests/integration/update_cluster/minimal_gce_ilb/kubernetes.tf
@@ -250,7 +250,7 @@ resource "google_compute_firewall" "lb-health-checks-minimal-gce-ilb-example-com
   disabled      = false
   name          = "lb-health-checks-minimal-gce-ilb-example-com"
   network       = google_compute_network.minimal-gce-ilb-example-com.name
-  source_ranges = ["35.191.0.0/16", "130.211.0.0/22"]
+  source_ranges = ["35.191.0.0/16", "130.211.0.0/22", "209.85.204.0/22", "209.85.152.0/22"]
   target_tags   = ["minimal-gce-ilb-example-com-k8s-io-role-control-plane"]
 }
 
diff --git a/tests/integration/update_cluster/minimal_gce_ilb_longclustername/kubernetes.tf b/tests/integration/update_cluster/minimal_gce_ilb_longclustername/kubernetes.tf
index 04a4c34db78db..880cc71734d06 100644
--- a/tests/integration/update_cluster/minimal_gce_ilb_longclustername/kubernetes.tf
+++ b/tests/integration/update_cluster/minimal_gce_ilb_longclustername/kubernetes.tf
@@ -250,7 +250,7 @@ resource "google_compute_firewall" "lb-health-checks-minimal-gce-with-a-very-ver
   disabled      = false
   name          = "lb-health-checks-minimal-gce-with-a-very-very-very-very--96dqvi"
   network       = google_compute_network.minimal-gce-with-a-very-very-very-very-very-long-name-ex-96dqvi.name
-  source_ranges = ["35.191.0.0/16", "130.211.0.0/22"]
+  source_ranges = ["35.191.0.0/16", "130.211.0.0/22", "209.85.204.0/22", "209.85.152.0/22"]
   target_tags   = ["minimal-gce-with-a-very-very-v-96dqvi-k8s-io-role-control-plane"]
 }
 
diff --git a/tests/integration/update_cluster/minimal_gce_plb/kubernetes.tf b/tests/integration/update_cluster/minimal_gce_plb/kubernetes.tf
index 694265796e19d..058ba6f9e85c0 100644
--- a/tests/integration/update_cluster/minimal_gce_plb/kubernetes.tf
+++ b/tests/integration/update_cluster/minimal_gce_plb/kubernetes.tf
@@ -237,7 +237,7 @@ resource "google_compute_firewall" "lb-health-checks-minimal-gce-plb-example-com
   disabled      = false
   name          = "lb-health-checks-minimal-gce-plb-example-com"
   network       = google_compute_network.minimal-gce-plb-example-com.name
-  source_ranges = ["35.191.0.0/16", "130.211.0.0/22"]
+  source_ranges = ["35.191.0.0/16", "130.211.0.0/22", "209.85.204.0/22", "209.85.152.0/22"]
   target_tags   = ["minimal-gce-plb-example-com-k8s-io-role-control-plane"]
 }
 
diff --git a/upup/pkg/fi/cloudup/gce/network.go b/upup/pkg/fi/cloudup/gce/network.go
index c3725e612091d..e57c54e578265 100644
--- a/upup/pkg/fi/cloudup/gce/network.go
+++ b/upup/pkg/fi/cloudup/gce/network.go
@@ -167,12 +167,12 @@ func performNetworkAssignmentsIPAliases(ctx context.Context, c *kops.Cluster, cl
 		return err
 	}
 
-	serviceCIDR, err := used.Allocate(networkCIDR, net.CIDRMask(20, 32))
+	serviceCIDR, err := used.Allocate(networkCIDR, net.CIDRMask(16, 32))
 	if err != nil {
 		return err
 	}
 
-	nodeCIDR, err := used.Allocate(networkCIDR, net.CIDRMask(20, 32))
+	nodeCIDR, err := used.Allocate(networkCIDR, net.CIDRMask(19, 32))
 	if err != nil {
 		return err
 	}
diff --git a/upup/pkg/fi/cloudup/gce/op.go b/upup/pkg/fi/cloudup/gce/op.go
index 8b66790b7f7af..c680cb25cfeae 100644
--- a/upup/pkg/fi/cloudup/gce/op.go
+++ b/upup/pkg/fi/cloudup/gce/op.go
@@ -58,7 +58,7 @@ func waitForZoneOp(client *compute.Service, op *compute.Operation) error {
 	}
 
 	return waitForOp(op, func(operationName string) (*compute.Operation, error) {
-		return client.ZoneOperations.Get(u.Project, u.Zone, operationName).Do()
+		return client.ZoneOperations.Wait(u.Project, u.Zone, operationName).Do()
 	})
 }
 
@@ -69,7 +69,7 @@ func waitForRegionOp(client *compute.Service, op *compute.Operation) error {
 	}
 
 	return waitForOp(op, func(operationName string) (*compute.Operation, error) {
-		return client.RegionOperations.Get(u.Project, u.Region, operationName).Do()
+		return client.RegionOperations.Wait(u.Project, u.Region, operationName).Do()
 	})
 }
 
@@ -80,7 +80,7 @@ func waitForGlobalOp(client *compute.Service, op *compute.Operation) error {
 	}
 
 	return waitForOp(op, func(operationName string) (*compute.Operation, error) {
-		return client.GlobalOperations.Get(u.Project, operationName).Do()
+		return client.GlobalOperations.Wait(u.Project, operationName).Do()
 	})
 }
 
@@ -108,7 +108,8 @@ func waitForOp(op *compute.Operation, getOperation func(operationName string) (*
 		}
 		pollOp, err := getOperation(opName)
 		if err != nil {
-			klog.Warningf("GCE poll operation %s failed: pollOp: [%v] err: [%v] getErrorFromOp: [%v]", opName, pollOp, err, getErrorFromOp(pollOp))
+			klog.Warningf("GCE poll operation %s failed: pollOp: [%v] err: [%v]", opName, pollOp, err)
+			klog.Infof("getErrorFromOp: [%v]", getErrorFromOp(pollOp))
 		}
 		done := opIsDone(pollOp)
 		if done {