first test of degraded OnStart

[lynchc]

Please ensure your pull request adheres to the following guidelines:

• For first time contributors, read Submitting a pull request
• All code is covered by unit and/or runtime tests where feasible.
• All commits contain a well written commit description including a title,
  description and a Fixes: #XXX line if the commit addresses a particular
  GitHub issue.
• If your commit description contains a Fixes: <commit-id> tag, then
  please add the commit author[s] as reviewer[s] to this issue.
• All commits are signed off. See the section Developer’s Certificate of Origin
• Provide a title or release-note blurb suitable for the release notes.
• Are you a user of Cilium? Please add yourself to the Users doc
• Thanks for contributing!

Fixes: #issue-number

<!-- Enter the release note text here if needed or remove this section! -->

[tanle-ux]

This var block is not gofmt-aligned — gofmt -l flags the file. Run gofmt -w (the = columns need re-aligning after adding the longer name), otherwise the make checkpatch/gofmt CI gate will fail.

[tanle-ux]

In the normal path k8sversion.Update() (l.259) populates the global version + capabilities before onStart returns. The degraded path returns before that runs, so the agent operates with default/empty capabilities until recovery succeeds. Is downstream code that reads k8sversion.Capabilities() safe with unset values during the degraded window?

[tanle-ux]

minor

[lynchc]

this I should dig into more. I wonder what the default capabilities are? what would be missing without the version check succeeding. I'll check it out

[tanle-ux]

This degraded-start feature doesn't extend to the operator, which embeds the same client.Cell and flag. When this path returns nil with the version unset, runOperator (operator/cmd/root.go:525-530) sees MinimalVersionMet == false and calls logging.Fatal, so the operator exits during the outage instead of running degraded. Not a regression (the operator already fails to start when the apiserver is unreachable), but if degraded-start is meant to cover the operator, that version gate needs the same relaxation.

[tanle-ux]

This is good to know but it does not impact operator.

[lynchc]

ah ya. I didn't even think of the operator

[tanle-ux]

Returning nil while the apiserver is still unreachable makes the controller record a success every interval (growing successCount, lastError=nil), so cilium status --all-controllers and the controller metrics show zero failures and operators can't see the node is stuck degraded. Prefer return err here (and optionally attach a Health reporter) so status/metrics reflect the degraded state — note this also engages the error-backoff cadence, so pair it with MaxRetryInterval if you want to keep a steady retry rate.

[tanle-ux]

RemoveController runs unconditionally here, even when k8sversion.Update() only logged a Warn. A successful isConnReady (a kube-system GET) does not guarantee ServerVersion() succeeds, so the controller can be destroyed with the cached version still zero-valued for the process lifetime — CEP sync (endpointsynchronizer.go:~120) then stays permanently broken while the agent looks healthy.

Reorder so the version gate runs first and the controller is only torn down once the version is confirmed; otherwise return err to keep retrying. This also resolves the fatal-vs-warn asymmetry (degraded now stays degraded and retries instead of silently running on an unsupported version), starts the heartbeat only after the connection is confirmed (avoiding a premature/duplicate heartbeat), drops the leftover // might remove note, and fixes the standardc typo.

Note: return err switches the controller to its error-backoff path (errorRetries * 1s, uncapped). If you want to keep the steady 5s cadence, also set MaxRetryInterval: connRetryInterval (or an ErrorRetryBaseDuration) on the ControllerParams.

Suggested change

	c.logger.Info("Re-established connection to API server. Exiting degraded state",
	logfields.IPAddr, c.restConfigManager.getConfig().Host,
	)
	// start the heartbeat as this was previously skipped
	c.startHeartbeat()
	// do the k8s version check. might remove
	if err := k8sversion.Update(c.logger, c, c.config.EnableK8sAPIDiscovery); err != nil {
	c.logger.Warn("k8s version check failed after reconnect", logfields.Error, err)
	} else if !k8sversion.Capabilities().MinimalVersionMet {
	c.logger.Warn("k8s version does not meet minimal standardc",
	"version", k8sversion.Version(),
	"minVersion", k8sversion.MinimalVersionConstraint,
	)
	}
	c.controller.RemoveController(controllerName)
	return nil
	// A successful isConnReady (kube-system GET) does not guarantee the
	// version discovery call below succeeds. Only exit degraded state once
	// the version is confirmed; until then stay degraded and let the
	// controller retry rather than tearing it down with an unset version.
	if err := k8sversion.Update(c.logger, c, c.config.EnableK8sAPIDiscovery); err != nil {
	c.logger.Warn("k8s version check failed after reconnect; staying degraded", logfields.Error, err)
	return err
	}
	if !k8sversion.Capabilities().MinimalVersionMet {
	return fmt.Errorf("k8s version (%v) does not meet minimal requirement (%v); staying degraded",
	k8sversion.Version(), k8sversion.MinimalVersionConstraint)
	}
	c.logger.Info("Re-established connection to API server. Exiting degraded state",
	logfields.IPAddr, c.restConfigManager.getConfig().Host,
	)
	// Start the heartbeat (skipped during degraded onStart) now that the
	// connection is confirmed usable, then stop retrying.
	c.startHeartbeat()
	c.controller.RemoveController(controllerName)
	return nil

[tanle-ux]

New agent flag — regenerate the cmdref docs (make -C Documentation update-cmdref) or the Documentation/cmdref CI check will fail.