Log error message on unhealthy /healthz check

[sjdot]

I was looking into kubelet liveness checks returning HTTP 503 response codes recently and noticed that there was not any logging in the agent that indicated the issue.

The logging I'm adding in this PR allowed me to track down why the liveness checks were failing by giving the error message associated with the current subsystem's unhealthy state. For example:

WARN  [<timestamp>] cilium.io/agent: 1.11.13 (v1.11.13-e4e51408f9) /healthz returning unhealthy: Kvstore service is not ready: Err: not able to connect to any etcd endpoints (state: Failure, subsys: daemon)

[christarazi]

Thanks for the PR, mostly LGTM. Just one comment below about rate limiting potentially.

[christarazi]

Do you think it might be useful to rate limit logs here? I'm concerned that it would spam the logs if the Agent is having flapping issues.

[sjdot]

@christarazi this should log at the rate that the /healthz endpoint is hit by an HTTP client. In the default case I believe that's every 10 seconds by the kubelet liveness check. Probably useful to have that log line at that sort of a rate to make sure that it's obvious there is a health check issue when looking at logs. Happy to add the rate limiting however if you would prefer.

[christarazi]

Ah, in that case, let's avoid complicating it and see how it goes. We can always fix it up later if it's a problem.

[christarazi]

Just one final nit that I forgot last time, allows us to remove the dynamic log msg in favor of logfields.

[christarazi]

Could you add the PR description context into the commit msg? This should be the last thing from my side, pending CI results.

[christarazi]

/test

[christarazi]

/test

[christarazi]

@sjdot Just a heads up, each time there's a push, the CI results are thrown away. Were you pushing to resolve some sort of flake that needed a rebase?

[sjdot]

Hi @christarazi. Yeah think the CI had a flake yesterday.

I've been merging to get the latest changes from "main" into the branch which I assume will block a merge if not done?

[christarazi]

Sometimes it's not necessary. We merge with "rebase & merge" strategy so in the end, the PR is applied on top of main.

Right now it looks like CI has passed, so we can await for approving reviews, and then merge when we have them.

[sjdot]

@christarazi ok great, good to know!

[sjdot]

@christarazi is the failing "Chart CI Push" a blocker here?

[christarazi]

Yep looks like #25524

[christarazi]

/test-1.26-net-next

[sjdot]

@christarazi looks like your jenkins instance may be having some issues?

[christarazi]

/test-1.26-net-next

[christarazi]

We had an outage over the weekend and it should now be resolved.

[sjdot]

@christarazi looks like a 404 for the jenkins job that's pending

[christarazi]

/test-1.26-net-next

[sjdot]

@christarazi looks like tests were hanging again. There was also a merge conflict so I've rebased and pushed.

[christarazi]

/test

Edit: runtime hit #25939

[sjdot]

@christarazi looks like more flakes

[christarazi]

/test-runtime

[sjdot]

@christarazi more flakes, mind kicking it again?

[ti-mo]

/ci-ginkgo

[ti-mo]

I think this may need another rebase after the ginkgo changes that were made to over the past few weeks.

I've tagged this as a release blocker since it would be a nice quality-of-life improvement for 1.14.

[sjdot]

Thanks @ti-mo, I've rebased as suggested

[ti-mo]

/test

[ti-mo]

Re-running a few test flakes, this should be good to go.