Stabilize VPN farm startup path

agents/rap-node-agent/cmd/rap-node-agent/main.go

@@ -4202,6 +4202,10 @@ func ensureVPNGatewayRuntime(ctx context.Context, api *client.Client, identity s
 	activeOwner := false
 	for _, assignment := range assignments {
 		if assignment.AssignmentReason == "eligible_candidate" && assignment.DesiredState == "enabled" {
+			if !vpnAssignmentLeaseAutoAcquireAllowed(identity.NodeID, assignment) {
+				log.Printf("vpn assignment lease auto-acquire skipped: vpn_connection_id=%s reason=local_node_is_not_selected_exit", assignment.VPNConnectionID)
+				continue
+			}
 			lease, err := api.AcquireNodeVPNAssignmentLease(ctx, identity.ClusterID, identity.NodeID, assignment.VPNConnectionID, client.NodeVPNAssignmentLeaseAcquireRequest{
 				TTLSeconds: 300,
 				Metadata: map[string]any{
@@ -4269,6 +4273,29 @@ func ensureVPNGatewayRuntime(ctx context.Context, api *client.Client, identity s
 	return nil
 }
 
+func vpnAssignmentLeaseAutoAcquireAllowed(localNodeID string, assignment client.NodeVPNAssignment) bool {
+	localNodeID = strings.TrimSpace(localNodeID)
+	if localNodeID == "" {
+		return false
+	}
+	var policy struct {
+		ExitNodeID  string   `json:"exit_node_id"`
+		ExitNodeIDs []string `json:"exit_node_ids"`
+	}
+	if len(assignment.PlacementPolicy) == 0 || json.Unmarshal(assignment.PlacementPolicy, &policy) != nil {
+		return true
+	}
+	if exitNodeID := strings.TrimSpace(policy.ExitNodeID); exitNodeID != "" {
+		return exitNodeID == localNodeID
+	}
+	for _, exitNodeID := range policy.ExitNodeIDs {
+		if strings.TrimSpace(exitNodeID) == localNodeID {
+			return true
+		}
+	}
+	return len(policy.ExitNodeIDs) == 0
+}
+
 func localGatewayTransportForAssignment(identity state.Identity, assignment client.NodeVPNAssignment, meshState *syntheticMeshState, _ *client.Client) vpnruntime.PacketTransport {
 	if meshState == nil || meshState.VPNFabricInbox == nil || assignment.VPNConnectionID == "" {
 		return nil