status.networking.egressCIDRs[0] is invalid: must be valid canonical CIDR

[rhizoet]

How to categorize this issue?

/area networking
/kind bug
/platform openstack

What happened:
After updating to Gardener 1.107.0 we get the following message:

task "Waiting until shoot infrastructure has been reconciled" failed: Shoot.core.gardener.cloud "shoot" is invalid: status.networking.egressCIDRs[0]: Invalid value: "2a13:1a81:8000::5d/32": must be valid canonical CIDR

What you expected to happen:
You should not choose the first IP that comes along. You should check which IP is the correct one. For example, we do not support IPv6 in our Gardener. However, the Router provides an IPv6. Accordingly, you should check whether the IP works or is correct.

How to reproduce it (as minimally and precisely as possible):
Upgrade to 1.107.0 and check whether a Router specifies an IPv6 in the first position.

Anything else we need to know?:

Environment:

• Gardener version (if relevant): 1.107.0
• Extension version: 1.42.1
• Kubernetes version (use kubectl version): 1.29.10 / 1.30.6
• Cloud provider or hardware configuration: Own Datacenter
• Others:

[benedikt-haug]

Also seeing this issue in our setup. This blocks any update to a release higher than v1.106

[kon-angelo]

Hi @rhizoet. I would very much like to contribute the fix but because I am lacking in access to proper ipv6 support in my environment to test properly, could you help understand the situation better ?

Accordingly, you should check whether the IP works or is correct.

AFAIK Neutron would return a singular IP (and not a range). I don't have particular reason to distrust that an IP is incorrect from an API response even if gardener later validates the IP. We do append the /32 because we were expecting an IPv4 which would probably make the IPv6 provided incorrect or at least "non-canonical".

• Does this mean that your router gets created with multiple ExternalFixedIP ?

You should check which IP is the correct one

In that case we should probably return all of them and assign them to the egressCIDRs
I believe that we should probably return a list of IPs also in the infrastructure status.
Is there any reason that we should filter exclusively for the ipv4 only?

[benedikt-haug]

Knowing I wasn't asked but trying to be helpful regardless:

For our (unrelated) setup, it looks like this, so if one would expect the first one to be an IPv4 address this wouldn't fit

[kon-angelo]

@benedikt-haug I should extend the question to anyone involved - apologies and thank you 💯

[rhizoet]

Hi @kon-angelo, thank you for your feedback.

It is correct that our routers always receive two ExternalFixedIPs. One IPv4 and one IPv6. This is due to our Openstack setup and cannot be changed.

However, we do not actually use IPv6 in the Gardener context. But since it is not only Gardener or Kubernetes that runs on it, this cannot be changed. I have no preference as to which IPs should be used. Only IPv4 would work for me too. I don't know whether there could be setups where only IPv6 is used.

[lotharbach]

We deployed the bugfix from PR #936 successfully with both gardener 1.107 and 1.108. As mentioned in the PR this is just a very minimal solution to get us unblocked regarding further upgrades.