Deploy fails if S3 enpoint is already present.

[TheNomet]

What were you trying to accomplish?
Deploy a fully private EKS cluster withing an already existing VPC.
Given that the AWS account comes already set up with VPC and endpoints, it is not possible to use eksctl to deploy a private cluster. Unfortunately, the endpoints and VPC are already configured as per company policy, and it would be great to have the possibility to specify already existing endpoints while deploying.

What happened?
The stack creation fails because the endpoint for S3 is already existing.

route table rtb-xyz already has a route with destination-prefix-list-id pl-xyz (Service: AmazonEC2; Status Code: 400; Error Code: RouteAlreadyExists; Request ID: 8eb9524a-9cc6-4b78-b5de-a99bd0e24da0; Proxy: null)

How to reproduce it?

• Create a VPC, and specify the endpoint for S3.
• Substitute the vpc id with the one just created (as well as cidr and subnets)
• run eksctl create cluster -f file.yaml

--- 
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig

metadata:
  name: cluster-4
  region: eu-west-1

vpc:
  id: "vpc-123"
  cidr: "10.0.0.0/24"
  subnets:
    private:
      eu-west-1a:
        id: "subnet-123"
        cidr: "10.0.0.0/26" 

      eu-west-1b:
        id: "subnet-234"
        cidr: "10.0.0.64/26"

      eu-west-1c:
        id: "subnet-345"
        cidr: "10.0.0.128/26"

privateCluster:
  enabled: true
  additionalEndpointServices:
  - "autoscaling"

nodeGroups:
  - name: ng-2
    instanceType: t3.medium
    desiredCapacity: 2
    ami: ami-123
    privateNetworking: true

Logs

Versions
eksctl version: 0.70.0

[aclevername]

Thanks for opening the issue @TheNomet. We should definitely fix this. We could either:

• try to detect if a RT for s3 already exists (unsure how easy this is?)
• add a flag for skipping its creation

I'll add this to the backlog

[Skarlso]

@Skarlso This is the ticket that this ticket is really similar too: #2510

[Skarlso]

The error is the same as this:

"route table rtb-xxxxxxxxxxxxxx already has a route with destination-prefix-list-id pl-xxxxxxx (Service: AmazonEC2; Status Code: 400; Error Code: RouteAlreadyExists; Request ID: xxxxxxxxxxxxxxxxxx; Proxy: null)"

[Skarlso]

@TheNomet Hi.

This would mean that everything is properly set up. eksctl will have no idea what's going on and likely if there is a bug we will probably say, well it's your setup, we have no idea. So like, you know that from that point on, it's all on you. The endpoint has to contain the right subnets, the subnets routing will have to contain the right vpnes we won't be editing that endpoint and add in anything or modify it in any way. Everything has to perfectly work.

If that's okay, we can add a config option which says --skip-endpoints and none of the endpoints will be created and they'll be completely left out of the generated CloudFormation template.

Also, I'll update the documentation saying something like Here be Dragons

Is that okay?

[TheNomet]

Hi @Skarlso ,
Yes, all makes sense.

[Skarlso]

Awesome! Please feel free to try it out, play without, have a go. And if you think something is missing, feel free to reach out to me on community slack or re-open this issue or open a new one. :)

[Skarlso]

I did test this with a cluster which was set up, but obviously, I don't have all the configuration options, so I'm a bit wary if I left out something.

[TheNomet]

Perfect! I will try it out and ask the team if anyone has time to do so as well.
I'll reach out in case is needed.
Have a good one and keep up the good work :)