Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HA Shoot creation fails because of missing VPN #9694

Open
Lappihuan opened this issue Apr 30, 2024 · 3 comments
Open

HA Shoot creation fails because of missing VPN #9694

Lappihuan opened this issue Apr 30, 2024 · 3 comments
Labels
area/high-availability High availability related area/networking Networking related kind/bug Bug

Comments

@Lappihuan
Copy link

Lappihuan commented Apr 30, 2024
edited

How to categorize this issue?

/area networking
/area high-availability
/kind bug

What happened:
The same issue as described here: ref
But in our case that is already happening on the gardener Release v1.93.0 using the provider openstack.

This might already be fixed in the mentioned PR.
@timebertt perhaps your fix could be merged separately from the rest of that PR?

What you expected to happen:

HA Shoots create without being stuck due to missing VPN.

How to reproduce it (as minimally and precisely as possible):
Create a HA Shoot on v1.93.0 it will get stuck with the Message:

  lastOperation:
    description: Waiting until the Kubernetes API server can connect to the Shoot workers
    lastUpdateTime: '2024-04-30T12:05:01Z'
    progress: 92
    state: Processing
    type: Create
  lastErrors:
    - description: >-
        task "Waiting until the Kubernetes API server can connect to the Shoot
        workers" failed: retry failed with context deadline exceeded, last
        error: could not forward to vpn-shoot pod (timeout after 5 seconds):
        error forwarding ports: error upgrading connection: error dialing
        backend: dial tcp 10.250.2.221:10250: i/o timeout
      taskID: Waiting until the Kubernetes API server can connect to the Shoot workers
      lastUpdateTime: '2024-04-30T12:03:23Z'
  observedGeneration: 1

Anything else we need to know?:

ERRORS:

Click me 
2024-04-30 13:05:52	
{"log":"Cannot get target selector from VPA's targetRef. Reason: Deployment shoot--acme--ha-test/vpn-seed-server does not exist","pid":"1","severity":"ERR","source":"cluster_feeder.go:532"}
	2024-04-30 13:04:52	
{"log":"Cannot get target selector from VPA's targetRef. Reason: Deployment shoot--acme--ha-test/vpn-seed-server does not exist","pid":"1","severity":"ERR","source":"cluster_feeder.go:532"}
	2024-04-30 13:03:52	
{"log":"Cannot get target selector from VPA's targetRef. Reason: Deployment shoot--acme--ha-test/vpn-seed-server does not exist","pid":"1","severity":"ERR","source":"cluster_feeder.go:532"}
	2024-04-30 13:02:52	
{"log":"Cannot get target selector from VPA's targetRef. Reason: Deployment shoot--acme--ha-test/vpn-seed-server does not exist","pid":"1","severity":"ERR","source":"cluster_feeder.go:532"}
	2024-04-30 13:02:38	
{"log":"failed to compute desired number of replicas based on listed metrics for Deployment/shoot--acme--ha-test/kube-apiserver: invalid metrics (1 invalid out of 1), first error is: failed to get cpu resource metric value: failed to get cpu utilization: did not receive metrics for targeted pods (pods might be unready)","pid":"1","severity":"ERR","source":"horizontal.go:274"}
	2024-04-30 13:02:08	
{"log":"failed to compute desired number of replicas based on listed metrics for Deployment/shoot--acme--ha-test/kube-apiserver: invalid metrics (1 invalid out of 1), first error is: failed to get cpu resource metric value: failed to get cpu utilization: did not receive metrics for targeted pods (pods might be unready)","pid":"1","severity":"ERR","source":"horizontal.go:274"}
	2024-04-30 13:01:52	
{"log":"Cannot get target selector from VPA's targetRef. Reason: Deployment shoot--acme--ha-test/vpn-seed-server does not exist","pid":"1","severity":"ERR","source":"cluster_feeder.go:532"}
	2024-04-30 13:00:52	
{"log":"Cannot get target selector from VPA's targetRef. Reason: Deployment shoot--acme--ha-test/vpn-seed-server does not exist","pid":"1","severity":"ERR","source":"cluster_feeder.go:532"}
	2024-04-30 13:00:05	
{"log":"Cannot get target selector from VPA's targetRef. Reason: Deployment shoot--acme--ha-test/vpn-seed-server does not exist","pid":"1","severity":"ERR","source":"cluster_feeder.go:532"}
	2024-04-30 12:59:52	
{"log":"Cannot get target selector from VPA's targetRef. Reason: Deployment shoot--acme--ha-test/vpn-seed-server does not exist","pid":"1","severity":"ERR","source":"cluster_feeder.go:532"}
	2024-04-30 12:59:20	
{"log":"\"error syncing item\" err=\"unable to get REST mapping for v1alpha1/Issuer.\" item=\"[v1/Secret, namespace: shoot--acme--ha-test, name: extension-shoot-cert-service-issuer-gardener, uid: 26b07c5c-5fad-49c4-aefa-9df8f1739d99]\"","pid":"1","severity":"ERR","source":"garbagecollector.go:390"}
	2024-04-30 12:58:52	
{"log":"Cannot get target selector from VPA's targetRef. Reason: Deployment shoot--acme--ha-test/vpn-seed-server does not exist","pid":"1","severity":"ERR","source":"cluster_feeder.go:532"}
	2024-04-30 12:57:52	
{"log":"Cannot get target selector from VPA's targetRef. Reason: Deployment shoot--acme--ha-test/vpn-seed-server does not exist","pid":"1","severity":"ERR","source":"cluster_feeder.go:532"}
	2024-04-30 12:56:52	
{"log":"Cannot get target selector from VPA's targetRef. Reason: Deployment shoot--acme--ha-test/vpn-seed-server does not exist","pid":"1","severity":"ERR","source":"cluster_feeder.go:532"}
	2024-04-30 12:55:52	
{"log":"Cannot get target selector from VPA's targetRef. Reason: Deployment shoot--acme--ha-test/vpn-seed-server does not exist","pid":"1","severity":"ERR","source":"cluster_feeder.go:532"}
	2024-04-30 12:54:52	
{"log":"Cannot get target selector from VPA's targetRef. Reason: Deployment shoot--acme--ha-test/vpn-seed-server does not exist","pid":"1","severity":"ERR","source":"cluster_feeder.go:532"}
	2024-04-30 12:54:36	
{"log":"failed to compute desired number of replicas based on listed metrics for Deployment/shoot--acme--ha-test/kube-apiserver: invalid metrics (1 invalid out of 1), first error is: failed to get cpu resource metric value: failed to get cpu utilization: did not receive metrics for targeted pods (pods might be unready)","pid":"1","severity":"ERR","source":"horizontal.go:274"}
	2024-04-30 12:54:06	
{"log":"failed to compute desired number of replicas based on listed metrics for Deployment/shoot--acme--ha-test/kube-apiserver: invalid metrics (1 invalid out of 1), first error is: failed to get cpu resource metric value: failed to get cpu utilization: did not receive metrics for targeted pods (pods might be unready)","pid":"1","severity":"ERR","source":"horizontal.go:274"}
	2024-04-30 12:53:52	
{"log":"Cannot get target selector from VPA's targetRef. Reason: Deployment shoot--acme--ha-test/vpn-seed-server does not exist","pid":"1","severity":"ERR","source":"cluster_feeder.go:532"}
	2024-04-30 12:52:52	
{"log":"Cannot get target selector from VPA's targetRef. Reason: Deployment shoot--acme--ha-test/vpn-seed-server does not exist","pid":"1","severity":"ERR","source":"cluster_feeder.go:532"}
	2024-04-30 12:51:52	
{"log":"Cannot get target selector from VPA's targetRef. Reason: Deployment shoot--acme--ha-test/vpn-seed-server does not exist","pid":"1","severity":"ERR","source":"cluster_feeder.go:532"}
	2024-04-30 12:50:52	
{"log":"Cannot get target selector from VPA's targetRef. Reason: Deployment shoot--acme--ha-test/vpn-seed-server does not exist","pid":"1","severity":"ERR","source":"cluster_feeder.go:532"}
	2024-04-30 12:50:09	
{"log":"Cannot get target selector from VPA's targetRef. Reason: Deployment shoot--acme--ha-test/vpn-seed-server does not exist","pid":"1","severity":"ERR","source":"cluster_feeder.go:532"}
	2024-04-30 12:49:52	
{"log":"Cannot get target selector from VPA's targetRef. Reason: Deployment shoot--acme--ha-test/vpn-seed-server does not exist","pid":"1","severity":"ERR","source":"cluster_feeder.go:532"}
	2024-04-30 12:48:52	
{"log":"Cannot get target selector from VPA's targetRef. Reason: Deployment shoot--acme--ha-test/vpn-seed-server does not exist","pid":"1","severity":"ERR","source":"cluster_feeder.go:532"}
	2024-04-30 12:48:24	
{"log":"\"error syncing item\" err=\"unable to get REST mapping for v1alpha1/Issuer.\" item=\"[v1/Secret, namespace: shoot--acme--ha-test, name: extension-shoot-cert-service-issuer-gardener, uid: 26b07c5c-5fad-49c4-aefa-9df8f1739d99]\"","pid":"1","severity":"ERR","source":"garbagecollector.go:390"}
	2024-04-30 12:47:52	
{"log":"Cannot get target selector from VPA's targetRef. Reason: Deployment shoot--acme--ha-test/vpn-seed-server does not exist","pid":"1","severity":"ERR","source":"cluster_feeder.go:532"}
	2024-04-30 12:46:52	
{"log":"Cannot get target selector from VPA's targetRef. Reason: Deployment shoot--acme--ha-test/vpn-seed-server does not exist","pid":"1","severity":"ERR","source":"cluster_feeder.go:532"}
	2024-04-30 12:45:52	
{"log":"Cannot get target selector from VPA's targetRef. Reason: Deployment shoot--acme--ha-test/vpn-seed-server does not exist","pid":"1","severity":"ERR","source":"cluster_feeder.go:532"}
	2024-04-30 12:45:03	
{"log":"failed to compute desired number of replicas based on listed metrics for Deployment/shoot--acme--ha-test/kube-apiserver: invalid metrics (1 invalid out of 1), first error is: failed to get cpu resource metric value: failed to get cpu utilization: did not receive metrics for targeted pods (pods might be unready)","pid":"1","severity":"ERR","source":"horizontal.go:274"}
	2024-04-30 12:44:52	
{"log":"Cannot get target selector from VPA's targetRef. Reason: Deployment shoot--acme--ha-test/vpn-seed-server does not exist","pid":"1","severity":"ERR","source":"cluster_feeder.go:532"}
	2024-04-30 12:44:38	
{"log":"Error syncing PodDisruptionBudget shoot--acme--ha-test/kube-apiserver, requeuing: Operation cannot be fulfilled on poddisruptionbudgets.policy \"kube-apiserver\": the object has been modified; please apply your changes to the latest version and try again","pid":"1","severity":"ERR","source":"disruption.go:630"}
	2024-04-30 12:43:52	
{"log":"Cannot get target selector from VPA's targetRef. Reason: Deployment shoot--acme--ha-test/vpn-seed-server does not exist","pid":"1","severity":"ERR","source":"cluster_feeder.go:532"}
	2024-04-30 12:43:12	
{"log":"error syncing StatefulSet shoot--acme--ha-test/vali, requeuing: object is being deleted: pods \"vali-0\" already exists, the server was not able to generate a unique name for the object","pid":"1","severity":"ERR","source":"stateful_set.go:430"}
	2024-04-30 12:42:56	
{"log":"\"error syncing item\" err=\"unable to get REST mapping for v1alpha1/Issuer.\" item=\"[v1/Secret, namespace: shoot--acme--ha-test, name: extension-shoot-cert-service-issuer-gardener, uid: 26b07c5c-5fad-49c4-aefa-9df8f1739d99]\"","pid":"1","severity":"ERR","source":"garbagecollector.go:390"}
	2024-04-30 12:42:52	
{"log":"Cannot get target selector from VPA's targetRef. Reason: Deployment shoot--acme--ha-test/vpn-seed-server does not exist","pid":"1","severity":"ERR","source":"cluster_feeder.go:532"}
	2024-04-30 12:41:52	
{"log":"Cannot get target selector from VPA's targetRef. Reason: Deployment shoot--acme--ha-test/vpn-seed-server does not exist","pid":"1","severity":"ERR","source":"cluster_feeder.go:532"}
	2024-04-30 12:40:52	
{"log":"Error syncing PodDisruptionBudget shoot--acme--ha-test/machine-controller-manager, requeuing: Operation cannot be fulfilled on poddisruptionbudgets.policy \"machine-controller-manager\": the object has been modified; please apply your changes to the latest version and try again","pid":"1","severity":"ERR","source":"disruption.go:630"}
	2024-04-30 12:40:52	
{"log":"Cannot get target selector from VPA's targetRef. Reason: Deployment shoot--acme--ha-test/vpn-seed-server does not exist","pid":"1","severity":"ERR","source":"cluster_feeder.go:532"}
	2024-04-30 12:40:13	
{"log":"\"error syncing item\" err=\"unable to get REST mapping for v1alpha1/Issuer.\" item=\"[v1/Secret, namespace: shoot--acme--ha-test, name: extension-shoot-cert-service-issuer-gardener, uid: 26b07c5c-5fad-49c4-aefa-9df8f1739d99]\"","pid":"1","severity":"ERR","source":"garbagecollector.go:390"}
	2024-04-30 12:40:10	
{"log":"Cannot get target selector from VPA's targetRef. Reason: Deployment shoot--acme--ha-test/vpn-seed-server does not exist","pid":"1","severity":"ERR","source":"cluster_feeder.go:532"}
	2024-04-30 12:39:52	
{"log":"Cannot get target selector from VPA's targetRef. Reason: Deployment shoot--acme--ha-test/vpn-seed-server does not exist","pid":"1","severity":"ERR","source":"cluster_feeder.go:532"}
	2024-04-30 12:39:52	
{"log":"Error syncing PodDisruptionBudget shoot--acme--ha-test/machine-controller-manager, requeuing: Operation cannot be fulfilled on poddisruptionbudgets.policy \"machine-controller-manager\": the object has been modified; please apply your changes to the latest version and try again","pid":"1","severity":"ERR","source":"disruption.go:630"}
	2024-04-30 12:39:31	
{"log":"failed to compute desired number of replicas based on listed metrics for Deployment/shoot--acme--ha-test/kube-apiserver: invalid metrics (1 invalid out of 1), first error is: failed to get cpu resource metric value: failed to get cpu utilization: did not receive metrics for targeted pods (pods might be unready)","pid":"1","severity":"ERR","source":"horizontal.go:274"}
	2024-04-30 12:39:03	
{"log":"Error syncing PodDisruptionBudget shoot--acme--ha-test/csi-snapshot-controller, requeuing: Operation cannot be fulfilled on poddisruptionbudgets.policy \"csi-snapshot-controller\": the object has been modified; please apply your changes to the latest version and try again","pid":"1","severity":"ERR","source":"disruption.go:630"}
	2024-04-30 12:38:55	
{"log":"post-timeout activity - time-elapsed: 334.385µs, GET \"/apis/coordination.k8s.io/v1/namespaces/shoot--acme--ha-test/leases/machine-controller\" result: \u003cnil\u003e","pid":"1","severity":"ERR","source":"timeout.go:142"}
	2024-04-30 12:38:55	
{"log":"timeout or abort while handling: method=GET URI=\"/apis/coordination.k8s.io/v1/namespaces/shoot--acme--ha-test/leases/machine-controller\" audit-ID=\"caa80e90-df33-4ecd-a964-c8b1b1d4c7d9\"","pid":"1","severity":"ERR","source":"wrap.go:54"}
	2024-04-30 12:38:52	
{"log":"Cannot get target selector from VPA's targetRef. Reason: Deployment shoot--acme--ha-test/vpn-seed-server does not exist","pid":"1","severity":"ERR","source":"cluster_feeder.go:532"}
	2024-04-30 12:38:51	
{"log":"\"error syncing item\" err=\"unable to get REST mapping for v1alpha1/Issuer.\" item=\"[v1/Secret, namespace: shoot--acme--ha-test, name: extension-shoot-cert-service-issuer-gardener, uid: 26b07c5c-5fad-49c4-aefa-9df8f1739d99]\"","pid":"1","severity":"ERR","source":"garbagecollector.go:390"}
	2024-04-30 12:38:09	
{"log":"\"error syncing item\" err=\"unable to get REST mapping for v1alpha1/Issuer.\" item=\"[v1/Secret, namespace: shoot--acme--ha-test, name: extension-shoot-cert-service-issuer-gardener, uid: 26b07c5c-5fad-49c4-aefa-9df8f1739d99]\"","pid":"1","severity":"ERR","source":"garbagecollector.go:390"}
	2024-04-30 12:38:01	
{"log":"error syncing StatefulSet shoot--acme--ha-test/vali, requeuing: pods \"vali-0\" not found","pid":"1","severity":"ERR","source":"stateful_set.go:430"}
	2024-04-30 12:38:00	
{"log":"error syncing StatefulSet shoot--acme--ha-test/vali, requeuing: object is being deleted: pods \"vali-0\" already exists, the server was not able to generate a unique name for the object","pid":"1","severity":"ERR","source":"stateful_set.go:430"}
	2024-04-30 12:37:52	
{"log":"Cannot get target selector from VPA's targetRef. Reason: Deployment shoot--acme--ha-test/vpn-seed-server does not exist","pid":"1","severity":"ERR","source":"cluster_feeder.go:532"}
	2024-04-30 12:37:49	
{"log":"\"error syncing item\" err=\"unable to get REST mapping for v1alpha1/Issuer.\" item=\"[v1/Secret, namespace: shoot--acme--ha-test, name: extension-shoot-cert-service-issuer-gardener, uid: 26b07c5c-5fad-49c4-aefa-9df8f1739d99]\"","pid":"1","severity":"ERR","source":"garbagecollector.go:390"}
	2024-04-30 12:37:48	
{"log":"Error syncing PodDisruptionBudget shoot--acme--ha-test/cluster-autoscaler, requeuing: Operation cannot be fulfilled on poddisruptionbudgets.policy \"cluster-autoscaler\": the object has been modified; please apply your changes to the latest version and try again","pid":"1","severity":"ERR","source":"disruption.go:630"}
	2024-04-30 12:37:40	
{"log":"Error syncing PodDisruptionBudget shoot--acme--ha-test/machine-controller-manager, requeuing: Operation cannot be fulfilled on poddisruptionbudgets.policy \"machine-controller-manager\": the object has been modified; please apply your changes to the latest version and try again","pid":"1","severity":"ERR","source":"disruption.go:630"}
	2024-04-30 12:37:38	
{"log":"\"error syncing item\" err=\"unable to get REST mapping for v1alpha1/Issuer.\" item=\"[v1/Secret, namespace: shoot--acme--ha-test, name: extension-shoot-cert-service-issuer-gardener, uid: 26b07c5c-5fad-49c4-aefa-9df8f1739d99]\"","pid":"1","severity":"ERR","source":"garbagecollector.go:390"}
	2024-04-30 12:37:34	
{"log":"post-timeout activity - time-elapsed: 790.864µs, PATCH \"/apis/resources.gardener.cloud/v1alpha1/namespaces/shoot--acme--ha-test/managedresources/shoot-core-metrics-server\" result: \u003cnil\u003e","pid":"1","severity":"ERR","source":"timeout.go:142"}
	2024-04-30 12:37:33	
{"log":"\"error syncing item\" err=\"unable to get REST mapping for v1alpha1/Issuer.\" item=\"[v1/Secret, namespace: shoot--acme--ha-test, name: extension-shoot-cert-service-issuer-gardener, uid: 26b07c5c-5fad-49c4-aefa-9df8f1739d99]\"","pid":"1","severity":"ERR","source":"garbagecollector.go:390"}
	2024-04-30 12:37:30	
{"log":"\"error syncing item\" err=\"unable to get REST mapping for v1alpha1/Issuer.\" item=\"[v1/Secret, namespace: shoot--acme--ha-test, name: extension-shoot-cert-service-issuer-gardener, uid: 26b07c5c-5fad-49c4-aefa-9df8f1739d99]\"","pid":"1","severity":"ERR","source":"garbagecollector.go:390"}
	2024-04-30 12:37:29	
{"log":"\"error syncing item\" err=\"unable to get REST mapping for v1alpha1/Issuer.\" item=\"[v1/Secret, namespace: shoot--acme--ha-test, name: extension-shoot-cert-service-issuer-gardener, uid: 26b07c5c-5fad-49c4-aefa-9df8f1739d99]\"","pid":"1","severity":"ERR","source":"garbagecollector.go:390"}
	2024-04-30 12:37:28	
{"log":"\"error syncing item\" err=\"unable to get REST mapping for v1alpha1/Issuer.\" item=\"[v1/Secret, namespace: shoot--acme--ha-test, name: extension-shoot-cert-service-issuer-gardener, uid: 26b07c5c-5fad-49c4-aefa-9df8f1739d99]\"","pid":"1","severity":"ERR","source":"garbagecollector.go:390"}
	2024-04-30 12:37:28	
{"log":"\"error syncing item\" err=\"unable to get REST mapping for v1alpha1/Issuer.\" item=\"[v1/Secret, namespace: shoot--acme--ha-test, name: extension-shoot-cert-service-issuer-gardener, uid: 26b07c5c-5fad-49c4-aefa-9df8f1739d99]\"","pid":"1","severity":"ERR","source":"garbagecollector.go:390"}
	2024-04-30 12:37:27	
{"log":"\"error syncing item\" err=\"unable to get REST mapping for v1alpha1/Issuer.\" item=\"[v1/Secret, namespace: shoot--acme--ha-test, name: extension-shoot-cert-service-issuer-gardener, uid: 26b07c5c-5fad-49c4-aefa-9df8f1739d99]\"","pid":"1","severity":"ERR","source":"garbagecollector.go:390"}
	2024-04-30 12:37:27	
{"log":"\"error syncing item\" err=\"unable to get REST mapping for v1alpha1/Issuer.\" item=\"[v1/Secret, namespace: shoot--acme--ha-test, name: extension-shoot-cert-service-issuer-gardener, uid: 26b07c5c-5fad-49c4-aefa-9df8f1739d99]\"","pid":"1","severity":"ERR","source":"garbagecollector.go:390"}
	2024-04-30 12:37:27	
{"log":"\"error syncing item\" err=\"unable to get REST mapping for v1alpha1/Issuer.\" item=\"[v1/Secret, namespace: shoot--acme--ha-test, name: extension-shoot-cert-service-issuer-gardener, uid: 26b07c5c-5fad-49c4-aefa-9df8f1739d99]\"","pid":"1","severity":"ERR","source":"garbagecollector.go:390"}
	2024-04-30 12:37:27	
{"log":"\"error syncing item\" err=\"unable to get REST mapping for v1alpha1/Issuer.\" item=\"[v1/Secret, namespace: shoot--acme--ha-test, name: extension-shoot-cert-service-issuer-gardener, uid: 26b07c5c-5fad-49c4-aefa-9df8f1739d99]\"","pid":"1","severity":"ERR","source":"garbagecollector.go:390"}
	2024-04-30 12:37:26	
{"log":"\"error syncing item\" err=\"unable to get REST mapping for v1alpha1/Issuer.\" item=\"[v1/Secret, namespace: shoot--acme--ha-test, name: extension-shoot-cert-service-issuer-gardener, uid: 26b07c5c-5fad-49c4-aefa-9df8f1739d99]\"","pid":"1","severity":"ERR","source":"garbagecollector.go:390"}
	2024-04-30 12:37:26	
{"log":"\"error syncing item\" err=\"unable to get REST mapping for v1alpha1/Issuer.\" item=\"[v1/Secret, namespace: shoot--acme--ha-test, name: extension-shoot-cert-service-issuer-gardener, uid: 26b07c5c-5fad-49c4-aefa-9df8f1739d99]\"","pid":"1","severity":"ERR","source":"garbagecollector.go:390"}
	2024-04-30 12:37:21	
{"log":"Error syncing PodDisruptionBudget shoot--acme--ha-test/csi-snapshot-controller, requeuing: Operation cannot be fulfilled on poddisruptionbudgets.policy \"csi-snapshot-controller\": the object has been modified; please apply your changes to the latest version and try again","pid":"1","severity":"ERR","source":"disruption.go:630"}

Environment:

  • Gardener version: v1.93.0
  • Kubernetes version: v1.28.3
  • Cloud provider: openstack v1.39.2
@gardener-prow gardener-prow bot added area/networking Networking related area/high-availability High availability related kind/bug Bug labels Apr 30, 2024
@Lappihuan
Copy link
Author

This might have been the cause of it:

In addition to that, the initial memory requests of OpenVPN container and its metrics exporter (only in HA scenario) are scaled down to be closer to their needs.

Since now the vpn-seed-server containers for non-ha shoots are unaffected.

@timebertt
Copy link
Member

This issue is unrelated to #9597 (comment) and will not be fixed by this PR.

If you suspect that this is related to memory requests on the VPN containers, what's the status of the VPN containers in the seed and the shoot? Can you add their logs?

@Lappihuan
Copy link
Author

the only thing i can spot in the logs is this:

2024-05-06T10:08:24.211847Z stdout F 2024-05-06 10:08:24 HTTP proxy returned bad status
2024-05-06T10:08:24.211915702Z stdout F 2024-05-06 10:08:24 SIGTERM[soft,HTTP proxy error] received, process exiting

Status:

status of vpn-seed-server-0 
status:
  conditions:
  - lastProbeTime: null
    lastTransitionTime: "2024-05-06T06:07:37Z"
    status: "True"
    type: Initialized
  - lastProbeTime: null
    lastTransitionTime: "2024-05-06T06:07:47Z"
    status: "True"
    type: Ready
  - lastProbeTime: null
    lastTransitionTime: "2024-05-06T06:07:47Z"
    status: "True"
    type: ContainersReady
  - lastProbeTime: null
    lastTransitionTime: "2024-05-06T06:07:37Z"
    status: "True"
    type: PodScheduled
  containerStatuses:
  - containerID: containerd://5f31acbe3d5f6e03f070362e0de298a6743dc180a2e181dfb10769911a772521
    image: europe-docker.pkg.dev/gardener-project/releases/gardener/vpn-seed-server:0.24.0
    imageID: europe-docker.pkg.dev/gardener-project/releases/gardener/vpn-seed-server@sha256:86ba8446b597ac76392f97f3cfbde55a5602d392f64e1d17eaf1a32b0e72424e
    lastState: {}
    name: openvpn-exporter
    ready: true
    restartCount: 0
    started: true
    state:
      running:
        startedAt: "2024-05-06T06:07:45Z"
  - containerID: containerd://fd7611cd94d47d11b3a8dca3de9c071185b0cf730536ea792b73d092f4e65018
    image: europe-docker.pkg.dev/gardener-project/releases/gardener/vpn-seed-server:0.24.0
    imageID: europe-docker.pkg.dev/gardener-project/releases/gardener/vpn-seed-server@sha256:86ba8446b597ac76392f97f3cfbde55a5602d392f64e1d17eaf1a32b0e72424e
    lastState: {}
    name: vpn-seed-server
    ready: true
    restartCount: 0
    started: true
    state:
      running:
        startedAt: "2024-05-06T06:07:42Z"
  hostIP: 10.251.1.228
  phase: Running
  podIP: 100.102.3.214
  podIPs:
  - ip: 100.102.3.214
  qosClass: Burstable
  startTime: "2024-05-06T06:07:37Z"
status of vpn-seed-server-1 
status:
  conditions:
  - lastProbeTime: null
    lastTransitionTime: "2024-05-06T06:07:37Z"
    status: "True"
    type: Initialized
  - lastProbeTime: null
    lastTransitionTime: "2024-05-06T06:07:43Z"
    status: "True"
    type: Ready
  - lastProbeTime: null
    lastTransitionTime: "2024-05-06T06:07:43Z"
    status: "True"
    type: ContainersReady
  - lastProbeTime: null
    lastTransitionTime: "2024-05-06T06:07:37Z"
    status: "True"
    type: PodScheduled
  containerStatuses:
  - containerID: containerd://50adf468022ec66bb846937c94f205ce7a0ec300a8c310e3a31192d814157bb1
    image: europe-docker.pkg.dev/gardener-project/releases/gardener/vpn-seed-server:0.24.0
    imageID: europe-docker.pkg.dev/gardener-project/releases/gardener/vpn-seed-server@sha256:86ba8446b597ac76392f97f3cfbde55a5602d392f64e1d17eaf1a32b0e72424e
    lastState: {}
    name: openvpn-exporter
    ready: true
    restartCount: 0
    started: true
    state:
      running:
        startedAt: "2024-05-06T06:07:43Z"
  - containerID: containerd://c83a886ab123c7dcbd958fda0f4039b5fa9413b7c8e3a00fb9dfb892116f3fec
    image: europe-docker.pkg.dev/gardener-project/releases/gardener/vpn-seed-server:0.24.0
    imageID: europe-docker.pkg.dev/gardener-project/releases/gardener/vpn-seed-server@sha256:86ba8446b597ac76392f97f3cfbde55a5602d392f64e1d17eaf1a32b0e72424e
    lastState: {}
    name: vpn-seed-server
    ready: true
    restartCount: 0
    started: true
    state:
      running:
        startedAt: "2024-05-06T06:07:41Z"
  hostIP: 10.251.0.70
  phase: Running
  podIP: 100.102.1.86
  podIPs:
  - ip: 100.102.1.86
  qosClass: Burstable
  startTime: "2024-05-06T06:07:37Z"
status of vpn-shoot-0 
status:
  conditions:
  - lastProbeTime: null
    lastTransitionTime: "2024-05-06T06:14:29Z"
    status: "True"
    type: Initialized
  - lastProbeTime: null
    lastTransitionTime: "2024-05-06T06:14:32Z"
    status: "True"
    type: Ready
  - lastProbeTime: null
    lastTransitionTime: "2024-05-06T06:14:32Z"
    status: "True"
    type: ContainersReady
  - lastProbeTime: null
    lastTransitionTime: "2024-05-06T06:14:25Z"
    status: "True"
    type: PodScheduled
  containerStatuses:
  - containerID: containerd://c3f92a206cac4fdfbb77d5bda00968503d7169adf6d335506da59e50916d9c9c
    image: europe-docker.pkg.dev/gardener-project/releases/gardener/vpn-shoot-client:0.24.0
    imageID: europe-docker.pkg.dev/gardener-project/releases/gardener/vpn-shoot-client@sha256:eb5497c75132fa9bd33b3a3fb969cd8de553074d75ddbc096bb970566917a16e
    lastState: {}
    name: vpn-shoot-s0
    ready: true
    restartCount: 0
    started: true
    state:
      running:
        startedAt: "2024-05-06T06:14:30Z"
  - containerID: containerd://90bc5e2c633082759fed2016bd9d4bce3adeb6ead3b583ef61a17c4b5dd91f84
    image: europe-docker.pkg.dev/gardener-project/releases/gardener/vpn-shoot-client:0.24.0
    imageID: europe-docker.pkg.dev/gardener-project/releases/gardener/vpn-shoot-client@sha256:eb5497c75132fa9bd33b3a3fb969cd8de553074d75ddbc096bb970566917a16e
    lastState: {}
    name: vpn-shoot-s1
    ready: true
    restartCount: 0
    started: true
    state:
      running:
        startedAt: "2024-05-06T06:14:31Z"
  hostIP: 10.250.1.105
  initContainerStatuses:
  - containerID: containerd://b068fb921b75f65933fc41d8c23ddc6152e9f3918c9d84c619d101f4aa68e528
    image: europe-docker.pkg.dev/gardener-project/releases/gardener/vpn-shoot-client:0.24.0
    imageID: europe-docker.pkg.dev/gardener-project/releases/gardener/vpn-shoot-client@sha256:eb5497c75132fa9bd33b3a3fb969cd8de553074d75ddbc096bb970566917a16e
    lastState: {}
    name: vpn-shoot-init
    ready: true
    restartCount: 0
    started: false
    state:
      terminated:
        containerID: containerd://b068fb921b75f65933fc41d8c23ddc6152e9f3918c9d84c619d101f4aa68e528
        exitCode: 0
        finishedAt: "2024-05-06T06:14:28Z"
        reason: Completed
        startedAt: "2024-05-06T06:14:28Z"
  phase: Running
  podIP: 100.110.1.10
  podIPs:
  - ip: 100.110.1.10
  qosClass: Burstable
  startTime: "2024-05-06T06:14:26Z"
status of vpn-shoot-1 
status:
  conditions:
  - lastProbeTime: null
    lastTransitionTime: "2024-05-06T06:14:15Z"
    status: "True"
    type: Initialized
  - lastProbeTime: null
    lastTransitionTime: "2024-05-06T06:14:17Z"
    status: "True"
    type: Ready
  - lastProbeTime: null
    lastTransitionTime: "2024-05-06T06:14:17Z"
    status: "True"
    type: ContainersReady
  - lastProbeTime: null
    lastTransitionTime: "2024-05-06T06:13:44Z"
    status: "True"
    type: PodScheduled
  containerStatuses:
  - containerID: containerd://c1077742a4c817d223978c8aa8cb1079d6d40baf270a9345028c488b67979022
    image: europe-docker.pkg.dev/gardener-project/releases/gardener/vpn-shoot-client:0.24.0
    imageID: europe-docker.pkg.dev/gardener-project/releases/gardener/vpn-shoot-client@sha256:eb5497c75132fa9bd33b3a3fb969cd8de553074d75ddbc096bb970566917a16e
    lastState: {}
    name: vpn-shoot-s0
    ready: true
    restartCount: 0
    started: true
    state:
      running:
        startedAt: "2024-05-06T06:14:16Z"
  - containerID: containerd://c5e5788cb588394e35faf79e4b29cadbcaa210a70ffc4427a2f632f4066040ef
    image: europe-docker.pkg.dev/gardener-project/releases/gardener/vpn-shoot-client:0.24.0
    imageID: europe-docker.pkg.dev/gardener-project/releases/gardener/vpn-shoot-client@sha256:eb5497c75132fa9bd33b3a3fb969cd8de553074d75ddbc096bb970566917a16e
    lastState: {}
    name: vpn-shoot-s1
    ready: true
    restartCount: 0
    started: true
    state:
      running:
        startedAt: "2024-05-06T06:14:16Z"
  hostIP: 10.250.3.86
  initContainerStatuses:
  - containerID: containerd://68314911ed497cbf1e42eb53f796f6e0487c3e20e2ed0e65937fe6a711dece95
    image: europe-docker.pkg.dev/gardener-project/releases/gardener/vpn-shoot-client:0.24.0
    imageID: europe-docker.pkg.dev/gardener-project/releases/gardener/vpn-shoot-client@sha256:eb5497c75132fa9bd33b3a3fb969cd8de553074d75ddbc096bb970566917a16e
    lastState: {}
    name: vpn-shoot-init
    ready: true
    restartCount: 0
    started: false
    state:
      terminated:
        containerID: containerd://68314911ed497cbf1e42eb53f796f6e0487c3e20e2ed0e65937fe6a711dece95
        exitCode: 0
        finishedAt: "2024-05-06T06:14:13Z"
        reason: Completed
        startedAt: "2024-05-06T06:14:13Z"
  phase: Running
  podIP: 100.110.0.7
  podIPs:
  - ip: 100.110.0.7
  qosClass: Burstable
  startTime: "2024-05-06T06:13:44Z"

Logs:

logs of vpn-seed-server-0 
[Mon May  6 06:07:42 UTC 2024]: using openvpn_network=192.168.123.0/26
2024-05-06 06:07:43 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2024-05-06 06:07:43 WARNING: file '/srv/secrets/vpn-server/tls.key' is group or others accessible
2024-05-06 06:07:43 OpenVPN 2.6.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2024-05-06 06:07:43 library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10
2024-05-06 06:07:43 WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
2024-05-06 06:07:43 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-05-06 06:07:43 TUN/TAP device tap0 opened
2024-05-06 06:07:43 /sbin/ip link set dev tap0 up mtu 1500
2024-05-06 06:07:43 /sbin/ip link set dev tap0 up
2024-05-06 06:07:43 /sbin/ip addr add dev tap0 192.168.123.1/26
2024-05-06 06:07:43 /firewall.sh on tap0 tap0 1500 0 192.168.123.1 255.255.255.192 init
using iptables backend legacy
2024-05-06 06:07:43 Listening for incoming TCP connection on [AF_INET][undef]:1194
2024-05-06 06:07:43 TCPv4_SERVER link local (bound): [AF_INET][undef]:1194
2024-05-06 06:07:43 TCPv4_SERVER link remote: [AF_UNSPEC]
2024-05-06 06:07:43 Initialization Sequence Completed
2024-05-06 06:07:46 TCP connection established with [AF_INET]100.102.3.153:41122
2024-05-06 06:07:46 100.102.3.153:41122 Connection reset, restarting [0]
2024-05-06 06:07:47 TCP connection established with [AF_INET]100.102.3.153:41128
2024-05-06 06:07:47 100.102.3.153:41128 TCP connection established with [AF_INET]100.102.3.153:41132
2024-05-06 06:07:47 100.102.3.153:41128 Connection reset, restarting [0]
2024-05-06 06:07:47 100.102.3.153:41132 Connection reset, restarting [0]
2024-05-06 06:07:57 TCP connection established with [AF_INET]100.102.3.153:43278
2024-05-06 06:07:57 100.102.3.153:43278 TCP connection established with [AF_INET]100.102.3.153:43284
2024-05-06 06:07:57 100.102.3.153:43278 Connection reset, restarting [0]
2024-05-06 06:07:57 100.102.3.153:43284 Connection reset, restarting [0]
2024-05-06 06:08:07 TCP connection established with [AF_INET]100.102.3.153:65030
2024-05-06 06:08:07 100.102.3.153:65030 TCP connection established with [AF_INET]100.102.3.153:65046
2024-05-06 06:08:07 100.102.3.153:65030 Connection reset, restarting [0]
2024-05-06 06:08:07 100.102.3.153:65046 Connection reset, restarting [0]
2024-05-06 06:08:17 TCP connection established with [AF_INET]100.102.3.153:54528
2024-05-06 06:08:17 100.102.3.153:54528 TCP connection established with [AF_INET]100.102.3.153:54532
2024-05-06 06:08:17 100.102.3.153:54528 Connection reset, restarting [0]
2024-05-06 06:08:17 100.102.3.153:54532 Connection reset, restarting [0]
2024-05-06 06:08:27 TCP connection established with [AF_INET]100.102.3.153:64288
2024-05-06 06:08:27 100.102.3.153:64288 TCP connection established with [AF_INET]100.102.3.153:64292
2024-05-06 06:08:27 100.102.3.153:64288 Connection reset, restarting [0]
2024-05-06 06:08:27 100.102.3.153:64292 Connection reset, restarting [0]
2024-05-06 06:08:37 TCP connection established with [AF_INET]100.102.3.153:45508
2024-05-06 06:08:37 100.102.3.153:45508 TCP connection established with [AF_INET]100.102.3.153:45512
logs of vpn-seed-server-1 
[Mon May  6 06:07:41 UTC 2024]: using openvpn_network=192.168.123.64/26
2024-05-06 06:07:41 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2024-05-06 06:07:41 WARNING: file '/srv/secrets/vpn-server/tls.key' is group or others accessible
2024-05-06 06:07:41 OpenVPN 2.6.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2024-05-06 06:07:41 library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10
2024-05-06 06:07:41 WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
2024-05-06 06:07:41 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-05-06 06:07:41 TUN/TAP device tap0 opened
2024-05-06 06:07:41 /sbin/ip link set dev tap0 up mtu 1500
2024-05-06 06:07:41 /sbin/ip link set dev tap0 up
2024-05-06 06:07:41 /sbin/ip addr add dev tap0 192.168.123.65/26
2024-05-06 06:07:41 /firewall.sh on tap0 tap0 1500 0 192.168.123.65 255.255.255.192 init
using iptables backend legacy
2024-05-06 06:07:42 Listening for incoming TCP connection on [AF_INET][undef]:1194
2024-05-06 06:07:42 TCPv4_SERVER link local (bound): [AF_INET][undef]:1194
2024-05-06 06:07:42 TCPv4_SERVER link remote: [AF_UNSPEC]
2024-05-06 06:07:42 Initialization Sequence Completed
2024-05-06 06:07:43 TCP connection established with [AF_INET]100.102.1.33:39588
2024-05-06 06:07:43 100.102.1.33:39588 Connection reset, restarting [0]
2024-05-06 06:07:47 TCP connection established with [AF_INET]100.102.1.33:39590
2024-05-06 06:07:47 100.102.1.33:39590 TCP connection established with [AF_INET]100.102.1.33:39592
2024-05-06 06:07:47 100.102.1.33:39590 Connection reset, restarting [0]
2024-05-06 06:07:47 100.102.1.33:39592 Connection reset, restarting [0]
2024-05-06 06:07:57 TCP connection established with [AF_INET]100.102.1.33:60704
2024-05-06 06:07:57 100.102.1.33:60704 TCP connection established with [AF_INET]100.102.1.33:60698
2024-05-06 06:07:57 100.102.1.33:60704 Connection reset, restarting [0]
2024-05-06 06:07:57 100.102.1.33:60698 Connection reset, restarting [0]
2024-05-06 06:08:07 TCP connection established with [AF_INET]100.102.1.33:59374
2024-05-06 06:08:07 100.102.1.33:59374 TCP connection established with [AF_INET]100.102.1.33:59388
2024-05-06 06:08:07 100.102.1.33:59374 Connection reset, restarting [0]
2024-05-06 06:08:07 100.102.1.33:59388 Connection reset, restarting [0]
2024-05-06 06:08:17 TCP connection established with [AF_INET]100.102.1.33:39856
2024-05-06 06:08:17 100.102.1.33:39856 TCP connection established with [AF_INET]100.102.1.33:39860
2024-05-06 06:08:17 100.102.1.33:39856 Connection reset, restarting [0]
2024-05-06 06:08:17 100.102.1.33:39860 Connection reset, restarting [0]
2024-05-06 06:08:27 TCP connection established with [AF_INET]100.102.1.33:48142
2024-05-06 06:08:27 100.102.1.33:48142 TCP connection established with [AF_INET]100.102.1.33:48156
logs of vpn-shoot-0 
root@shoot--acme--ha-test-worker-kql23-z2-5df74-kz6cf:~# tail -f /var/log/pods/kube-system_vpn-shoot-0_d2f4be19-d5a6-42c0-9289-a114e259dc8a/vpn-shoot-init/0.log
2024-05-06T06:14:28.647498371Z stdout F [Mon May  6 06:14:28 UTC 2024]: Setting 75 on /proc/sys/net/ipv4/tcp_keepalive_intvl
2024-05-06T06:14:28.649517604Z stdout F [Mon May  6 06:14:28 UTC 2024]: Setting 9 on /proc/sys/net/ipv4/tcp_keepalive_probes
2024-05-06T06:14:28.651151747Z stdout F [Mon May  6 06:14:28 UTC 2024]: Setting 5 on /proc/sys/net/ipv4/tcp_retries2
2024-05-06T06:14:28.653408989Z stdout F [Mon May  6 06:14:28 UTC 2024]: configure bonding
2024-05-06T06:14:28.655285813Z stdout F [Mon May  6 06:14:28 UTC 2024]: bonding address is 192.168.123.194/26
2024-05-06T06:14:28.682617749Z stdout F 2024-05-06 06:14:28 TUN/TAP device tap0 opened
2024-05-06T06:14:28.68301128Z stdout F 2024-05-06 06:14:28 Persist state set to: ON
2024-05-06T06:14:28.698360957Z stdout F 2024-05-06 06:14:28 TUN/TAP device tap1 opened
2024-05-06T06:14:28.698638404Z stdout F 2024-05-06 06:14:28 Persist state set to: ON
2024-05-06T06:14:28.702444213Z stdout F [Mon May  6 06:14:28 UTC 2024]: ip link add bond0 type bond mode active-backup fail_over_mac 1 arp_interval 1000 arp_ip_target "192.168.123.193" arp_all_targets 0 primary tap0 num_grat_arp 5

root@shoot--acme--ha-test-worker-kql23-z2-5df74-kz6cf:~# tail -f /var/log/pods/kube-system_vpn-shoot-0_d2f4be19-d5a6-42c0-9289-a114e259dc8a/vpn-shoot-s0/0.log
2024-05-06T10:26:38.484500278Z stdout F 2024-05-06 10:26:38 TCP connection established with [AF_INET]10.0.171.94:8132
2024-05-06T10:26:48.491331704Z stdout F 2024-05-06 10:26:48 HTTP proxy returned bad status
2024-05-06T10:26:48.492408999Z stdout F 2024-05-06 10:26:48 SIGTERM[soft,HTTP proxy error] received, process exiting
2024-05-06T10:26:49.505970779Z stdout F [Mon May  6 10:26:49 UTC 2024]: openvpn --dev tap0 --remote api.ha-test.acme.internal.acme-cloud.ch. --config openvpn.config
2024-05-06T10:26:49.512886703Z stdout F 2024-05-06 10:26:49 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2024-05-06T10:26:49.518719305Z stdout F 2024-05-06 10:26:49 OpenVPN 2.6.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2024-05-06T10:26:49.519210954Z stdout F 2024-05-06 10:26:49 library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10
2024-05-06T10:26:49.536941845Z stdout F 2024-05-06 10:26:49 TCP/UDP: Preserving recently used remote address: [AF_INET]10.0.171.94:8132
2024-05-06T10:26:49.536986827Z stdout F 2024-05-06 10:26:49 Attempting to establish TCP connection with [AF_INET]10.0.171.94:8132
2024-05-06T10:26:49.539247632Z stdout F 2024-05-06 10:26:49 TCP connection established with [AF_INET]10.0.171.94:8132
2024-05-06T10:26:59.550278684Z stdout F 2024-05-06 10:26:59 HTTP proxy returned bad status
2024-05-06T10:26:59.553171748Z stdout F 2024-05-06 10:26:59 SIGTERM[soft,HTTP proxy error] received, process exiting
2024-05-06T10:27:00.561714393Z stdout F [Mon May  6 10:27:00 UTC 2024]: openvpn --dev tap0 --remote api.ha-test.acme.internal.acme-cloud.ch. --config openvpn.config
2024-05-06T10:27:00.569793981Z stdout F 2024-05-06 10:27:00 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2024-05-06T10:27:00.574975322Z stdout F 2024-05-06 10:27:00 OpenVPN 2.6.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2024-05-06T10:27:00.575268642Z stdout F 2024-05-06 10:27:00 library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10
2024-05-06T10:27:00.587198057Z stdout F 2024-05-06 10:27:00 TCP/UDP: Preserving recently used remote address: [AF_INET]10.0.171.94:8132
2024-05-06T10:27:00.587409246Z stdout F 2024-05-06 10:27:00 Attempting to establish TCP connection with [AF_INET]10.0.171.94:8132
2024-05-06T10:27:00.589709847Z stdout F 2024-05-06 10:27:00 TCP connection established with [AF_INET]10.0.171.94:8132
^C
root@shoot--acme--ha-test-worker-kql23-z2-5df74-kz6cf:~# tail -f /var/log/pods/kube-system_vpn-shoot-0_d2f4be19-d5a6-42c0-9289-a114e259dc8a/vpn-shoot-s1/0.log 
2024-05-06T10:26:58.538163233Z stdout F 2024-05-06 10:26:58 TCP connection established with [AF_INET]10.0.171.94:8132
2024-05-06T10:27:08.544762116Z stdout F 2024-05-06 10:27:08 HTTP proxy returned bad status
2024-05-06T10:27:08.545881175Z stdout F 2024-05-06 10:27:08 SIGTERM[soft,HTTP proxy error] received, process exiting
2024-05-06T10:27:09.556969898Z stdout F [Mon May  6 10:27:09 UTC 2024]: openvpn --dev tap1 --remote api.ha-test.acme.internal.acme-cloud.ch. --config openvpn.config
2024-05-06T10:27:09.56566406Z stdout F 2024-05-06 10:27:09 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2024-05-06T10:27:09.570347933Z stdout F 2024-05-06 10:27:09 OpenVPN 2.6.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2024-05-06T10:27:09.57061768Z stdout F 2024-05-06 10:27:09 library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10
2024-05-06T10:27:09.582452304Z stdout F 2024-05-06 10:27:09 TCP/UDP: Preserving recently used remote address: [AF_INET]10.0.171.94:8132
2024-05-06T10:27:09.582851014Z stdout F 2024-05-06 10:27:09 Attempting to establish TCP connection with [AF_INET]10.0.171.94:8132
2024-05-06T10:27:09.585075084Z stdout F 2024-05-06 10:27:09 TCP connection established with [AF_INET]10.0.171.94:8132
2024-05-06T10:27:19.600111442Z stdout F 2024-05-06 10:27:19 HTTP proxy returned bad status
2024-05-06T10:27:19.600320561Z stdout F 2024-05-06 10:27:19 SIGTERM[soft,HTTP proxy error] received, process exiting
2024-05-06T10:27:20.60377504Z stdout F [Mon May  6 10:27:20 UTC 2024]: openvpn --dev tap1 --remote api.ha-test.acme.internal.acme-cloud.ch. --config openvpn.config
2024-05-06T10:27:20.609048664Z stdout F 2024-05-06 10:27:20 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2024-05-06T10:27:20.614152753Z stdout F 2024-05-06 10:27:20 OpenVPN 2.6.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2024-05-06T10:27:20.614232274Z stdout F 2024-05-06 10:27:20 library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10
2024-05-06T10:27:20.625250552Z stdout F 2024-05-06 10:27:20 TCP/UDP: Preserving recently used remote address: [AF_INET]10.0.171.94:8132
2024-05-06T10:27:20.626155395Z stdout F 2024-05-06 10:27:20 Attempting to establish TCP connection with [AF_INET]10.0.171.94:8132
2024-05-06T10:27:20.629566708Z stdout F 2024-05-06 10:27:20 TCP connection established with [AF_INET]10.0.171.94:8132
logs of vpn-shoot-1 
root@shoot--acme--ha-test-worker-kql23-z1-7c475-tjzh5:~# tail -f /var/log/pods/kube-system_vpn-shoot-1_eabcca6a-d56c-410b-ace6-b3a505b1664a/vpn-shoot-init/0.log
2024-05-06T06:14:13.440693551Z stdout F [Mon May  6 06:14:13 UTC 2024]: Setting 75 on /proc/sys/net/ipv4/tcp_keepalive_intvl
2024-05-06T06:14:13.443579714Z stdout F [Mon May  6 06:14:13 UTC 2024]: Setting 9 on /proc/sys/net/ipv4/tcp_keepalive_probes
2024-05-06T06:14:13.445893102Z stdout F [Mon May  6 06:14:13 UTC 2024]: Setting 5 on /proc/sys/net/ipv4/tcp_retries2
2024-05-06T06:14:13.448422352Z stdout F [Mon May  6 06:14:13 UTC 2024]: configure bonding
2024-05-06T06:14:13.450400359Z stdout F [Mon May  6 06:14:13 UTC 2024]: bonding address is 192.168.123.195/26
2024-05-06T06:14:13.516451512Z stdout F 2024-05-06 06:14:13 TUN/TAP device tap0 opened
2024-05-06T06:14:13.516469497Z stdout F 2024-05-06 06:14:13 Persist state set to: ON
2024-05-06T06:14:13.530717028Z stdout F 2024-05-06 06:14:13 TUN/TAP device tap1 opened
2024-05-06T06:14:13.530992421Z stdout F 2024-05-06 06:14:13 Persist state set to: ON
2024-05-06T06:14:13.535145514Z stdout F [Mon May  6 06:14:13 UTC 2024]: ip link add bond0 type bond mode active-backup fail_over_mac 1 arp_interval 1000 arp_ip_target "192.168.123.193" arp_all_targets 0 primary tap0 num_grat_arp 5

root@shoot--acme--ha-test-worker-kql23-z1-7c475-tjzh5:~# tail -f /var/log/pods/kube-system_vpn-shoot-1_eabcca6a-d56c-410b-ace6-b3a505b1664a/vpn-shoot-s0/0.log
2024-05-06T10:08:03.156882658Z stdout F 2024-05-06 10:08:03 TCP connection established with [AF_INET]10.0.171.94:8132
2024-05-06T10:08:13.162415192Z stdout F 2024-05-06 10:08:13 HTTP proxy returned bad status
2024-05-06T10:08:13.163463029Z stdout F 2024-05-06 10:08:13 SIGTERM[soft,HTTP proxy error] received, process exiting
2024-05-06T10:08:14.171163387Z stdout F [Mon May  6 10:08:14 UTC 2024]: openvpn --dev tap0 --remote api.ha-test.acme.internal.acme-cloud.ch. --config openvpn.config
2024-05-06T10:08:14.178918691Z stdout F 2024-05-06 10:08:14 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2024-05-06T10:08:14.183111398Z stdout F 2024-05-06 10:08:14 OpenVPN 2.6.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2024-05-06T10:08:14.183282489Z stdout F 2024-05-06 10:08:14 library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10
2024-05-06T10:08:14.194550924Z stdout F 2024-05-06 10:08:14 TCP/UDP: Preserving recently used remote address: [AF_INET]10.0.171.94:8132
2024-05-06T10:08:14.194796557Z stdout F 2024-05-06 10:08:14 Attempting to establish TCP connection with [AF_INET]10.0.171.94:8132
2024-05-06T10:08:14.197854891Z stdout F 2024-05-06 10:08:14 TCP connection established with [AF_INET]10.0.171.94:8132
2024-05-06T10:08:24.211847Z stdout F 2024-05-06 10:08:24 HTTP proxy returned bad status
2024-05-06T10:08:24.211915702Z stdout F 2024-05-06 10:08:24 SIGTERM[soft,HTTP proxy error] received, process exiting
2024-05-06T10:08:25.217061271Z stdout F [Mon May  6 10:08:25 UTC 2024]: openvpn --dev tap0 --remote api.ha-test.acme.internal.acme-cloud.ch. --config openvpn.config
2024-05-06T10:08:25.224648152Z stdout F 2024-05-06 10:08:25 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2024-05-06T10:08:25.230506486Z stdout F 2024-05-06 10:08:25 OpenVPN 2.6.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2024-05-06T10:08:25.230936596Z stdout F 2024-05-06 10:08:25 library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10
2024-05-06T10:08:25.244487899Z stdout F 2024-05-06 10:08:25 TCP/UDP: Preserving recently used remote address: [AF_INET]10.0.171.94:8132
2024-05-06T10:08:25.245066582Z stdout F 2024-05-06 10:08:25 Attempting to establish TCP connection with [AF_INET]10.0.171.94:8132
2024-05-06T10:08:25.248670399Z stdout F 2024-05-06 10:08:25 TCP connection established with [AF_INET]10.0.171.94:8132

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/high-availability High availability related area/networking Networking related kind/bug Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Lappihuan @timebertt