- Gosec fix

- Cleanup daemonset once all host are registered

Author: AmitSahastra

controllers/lxd_initializer_ds.go

@@ -16,6 +16,7 @@ import (
 
 	"github.com/spectrocloud/cluster-api-provider-maas/pkg/maas/scope"
 	"github.com/spectrocloud/cluster-api-provider-maas/pkg/util/trust"
+	"github.com/spectrocloud/cluster-api-provider-maas/pkg/util"
 
 	// embed template
 	_ "embed"
@@ -66,6 +67,7 @@ func (r *MaasClusterReconciler) ensureLXDInitializerDS(ctx context.Context, clus
 	// Gate: derive desired CP count from MaasCloudConfig; fallback to KCP
 	desiredCP := int32(1)
 	readyByKCP := int32(0)
+
 	// Prefer MaasCloudConfig.spec.machinePoolConfig[].size where isControlPlane=true (sum)
 	{
 		mccList := &unstructured.UnstructuredList{}
@@ -99,7 +101,7 @@ func (r *MaasClusterReconciler) ensureLXDInitializerDS(ctx context.Context, clus
 					}
 				}
 				if sum > 0 {
-					desiredCP = int32(sum)
+					desiredCP = util.SafeInt64ToInt32(sum)
 					break
 				}
 			}
@@ -115,10 +117,10 @@ func (r *MaasClusterReconciler) ensureLXDInitializerDS(ctx context.Context, clus
 			if len(kcpList.Items) > 0 {
 				item := kcpList.Items[0]
 				if v, found, _ := unstructured.NestedInt64(item.Object, "spec", "replicas"); found && v > 0 {
-					desiredCP = int32(v)
+					desiredCP = util.SafeInt64ToInt32(v)
 				}
 				if v, found, _ := unstructured.NestedInt64(item.Object, "status", "readyReplicas"); found && v >= 0 {
-					readyByKCP = int32(v)
+					readyByKCP = util.SafeInt64ToInt32(v)
 				}
 			}
 		}
@@ -139,7 +141,7 @@ func (r *MaasClusterReconciler) ensureLXDInitializerDS(ctx context.Context, clus
 			}
 		}
 		// Proceed when CP nodes are present and Ready, regardless of KCP readyReplicas
-		if int32(len(nodeList.Items)) < desiredCP || int32(ready) < desiredCP {
+		if int64(len(nodeList.Items)) < int64(desiredCP) || int64(ready) < int64(desiredCP) {
 			r.Log.Info("Not enough control-plane nodes present/ready yet; skipping DS for now", "desiredCP", desiredCP, "readyByKCP", readyByKCP, "nodeList", len(nodeList.Items), "ready", ready)
 			// Not enough control-plane nodes present/ready yet; skip DS for now
 			return nil
@@ -166,6 +168,33 @@ func (r *MaasClusterReconciler) ensureLXDInitializerDS(ctx context.Context, clus
 		return fmt.Errorf("failed to ensure LXD initializer RBAC: %v", err)
 	}
 
+	// Short-circuit deletion: if all control-plane nodes are labeled initialized, delete DS
+	shortCircuitNodes := &corev1.NodeList{}
+	shortCircuitSelector := labels.SelectorFromSet(labels.Set{
+		"node-role.kubernetes.io/control-plane": "",
+	})
+	if err := remoteClient.List(ctx, shortCircuitNodes, &client.ListOptions{LabelSelector: shortCircuitSelector}); err == nil && len(shortCircuitNodes.Items) > 0 {
+		// Count how many CP nodes are initialized
+		initCount := 0
+		for _, n := range shortCircuitNodes.Items {
+			if n.Labels != nil && n.Labels["lxdhost.cluster.com/initialized"] == "true" {
+				initCount++
+			}
+		}
+		// Delete DS only when we see at least desiredCP control-plane nodes
+		// AND desiredCP of them are initialized
+		if int64(len(shortCircuitNodes.Items)) >= int64(desiredCP) && int64(initCount) >= int64(desiredCP) {
+			// Delete existing DSs and return
+			shortCircuitDSList := &appsv1.DaemonSetList{}
+			if err := remoteClient.List(ctx, shortCircuitDSList, client.InNamespace(dsNamespace), client.MatchingLabels{"app": dsName}); err == nil {
+				for _, ds := range shortCircuitDSList.Items {
+					_ = remoteClient.Delete(ctx, &ds)
+				}
+			}
+			return nil
+		}
+	}
+
 	// pull LXD config
 	cfg := clusterScope.GetLXDConfig()
 	sb := cfg.StorageBackend

controllers/templates/lxd_initializer_ds.yaml

@@ -73,7 +73,7 @@ spec:
           mountPropagation: HostToContainer
       containers:
       - name: lxd-initializer
-        image: us-east1-docker.pkg.dev/spectro-images/dev/amit/cluster-api/lxd-initializer:v0.6.1-spectro-4.0.0-dev-15102025-01
+        image: us-east1-docker.pkg.dev/spectro-images/dev/amit/cluster-api/lxd-initializer:v0.6.1-spectro-4.0.0-dev-16102025-01
         imagePullPolicy: Always
         securityContext:
           privileged: true

lxd-initializer/lxd-initializer-daemonset.yaml

@@ -20,7 +20,7 @@ spec:
       hostPID: true
       containers:
       - name: lxd-initializer
-        image: us-east1-docker.pkg.dev/spectro-images/dev/amit/cluster-api/lxd-initializer:v0.6.1-spectro-4.0.0-dev-15102025-01
+        image: us-east1-docker.pkg.dev/spectro-images/dev/amit/cluster-api/lxd-initializer:v0.6.1-spectro-4.0.0-dev-16102025-01
         imagePullPolicy: Always
         securityContext:
           privileged: true

lxd-initializer/lxd-initializer.go

@@ -2,10 +2,10 @@ package main
 
 import (
 	"context"
+	crand "crypto/rand"
 	"flag"
 	"fmt"
 	"log"
-	"math/rand"
 	"net"
 	"net/url"
 	"os"
@@ -245,48 +245,30 @@ func registerWithMAAS(maasEndpoint, maasAPIKey, systemID, nodeIP, trustPassword,
 	ctx := context.Background()
 	client := maasclient.NewAuthenticatedClientSet(maasEndpoint, maasAPIKey)
 
-	// Guard 1: Verify the MAAS machine identified by systemID owns nodeIP (or derive power IP)
-	m, err := client.Machines().Machine(systemID).Get(ctx)
-	if err != nil {
-		return fmt.Errorf("get machine %s: %w", systemID, err)
-	}
-	hostIP := nodeIP
-	owns := false
-	for _, ip := range m.IPAddresses() {
-		if ip.String() == nodeIP {
-			owns = true
-			break
-		}
-	}
-	if !owns {
-		ips := m.IPAddresses()
-		if len(ips) == 0 {
-			return fmt.Errorf("ownership check failed: system-id %s has no IPs; cannot register", systemID)
-		}
-		hostIP = ips[0].String()
-	}
-
 	// Idempotency/conflict checks via API for speed
 	hosts, err := client.VMHosts().List(ctx, nil)
 	if err != nil {
 		return fmt.Errorf("list vm hosts: %w", err)
 	}
-	// Align with manual flow: bare IP for power_address
-	wantHost := hostIP
+	// Align with manual flow: bare IP for power_address (still used for create below)
+	wantHost := nodeIP
+	// Strict guards: rely only on name and system-id for idempotency
+	expectedName := hostName
 	for _, h := range hosts {
-		if normalizeHost(h.PowerAddress()) == normalizeHost(wantHost) {
-			if h.HostSystemID() != "" && h.HostSystemID() != systemID {
-				return fmt.Errorf("conflict: existing VM host %s uses %s mapped to %s", h.Name(), wantHost, h.HostSystemID())
+		// 1) Exact name match → idempotent or conflict
+		if h.Name() == expectedName {
+			if h.HostSystemID() == "" || h.HostSystemID() == systemID {
+				log.Printf("MAAS VM host already present (name=%s, system-id=%s); skipping re-registration", h.Name(), h.HostSystemID())
+				return nil
 			}
-			if h.Name() != hostName {
-				return fmt.Errorf("conflict: power_address %s already used by VM host %s (name mismatch)", wantHost, h.Name())
-			}
-			log.Printf("MAAS VM host already present: name=%s power_address=%s", h.Name(), h.PowerAddress())
-			return nil
+			return fmt.Errorf("conflict: VM host %q belongs to system-id %s (expected %s)", h.Name(), h.HostSystemID(), systemID)
 		}
-		if h.Name() == hostName && h.HostSystemID() != "" && h.HostSystemID() != systemID {
-			return fmt.Errorf("conflict: existing VM host %s belongs to system-id %s (expected %s)", h.Name(), h.HostSystemID(), systemID)
+		// 2) Same system already registered under a different name → idempotent
+		if h.HostSystemID() == systemID {
+			log.Printf("MAAS VM host for system-id=%s already exists under name=%s; skipping re-registration", systemID, h.Name())
+			return nil
 		}
+		// 3) Non-matching entry → ignore
 	}
 
 	// Prefer MAAS CLI for creation to match manual success path
@@ -561,6 +543,20 @@ func main() {
 		actionStr = "both" // Default to both init and register
 	}
 
+	// Early exit: if node already marked initialized, skip all work
+	if nodeName != "" {
+		if client, err := getKubernetesClient(); err == nil {
+			if node, gerr := client.CoreV1().Nodes().Get(context.TODO(), nodeName, metav1.GetOptions{}); gerr == nil {
+				if node.Labels != nil {
+					if node.Labels[LXDHostInitializedLabel] == LabelValueTrue {
+						log.Printf("Node %s already labeled %s=true; skipping initializer", nodeName, LXDHostInitializedLabel)
+						return
+					}
+				}
+			}
+		}
+	}
+
 	// Perform actions based on the specified action
 	if actionStr == "init" || actionStr == "both" {
 		// Initialize LXD
@@ -632,8 +628,16 @@ func main() {
 		}
 		actualDelaySec := delaySec
 		if jitterSec > 0 {
-			rand.Seed(time.Now().UnixNano())
-			actualDelaySec += rand.Intn(jitterSec + 1)
+			// crypto-strong jitter in [0, jitterSec]
+			var rb [8]byte
+			if _, err := crand.Read(rb[:]); err == nil {
+				// Convert to uint64, then mod
+				rnd := int(rb[0])
+				if jitterSec > 0 {
+					rnd = rnd % (jitterSec + 1)
+				}
+				actualDelaySec += rnd
+			}
 		}
 		delay := time.Duration(actualDelaySec) * time.Second
 		log.Printf("LXD init complete; staggering for %v before host registration (index=%d/%d, per=%ds, cap=%ds, jitter<=%ds)", delay, nodeIndex, nodeCount, perNodeSec, maxCapSec, jitterSec)

pkg/util/utils.go

@@ -0,0 +1,32 @@
+/*
+
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package util
+
+import (
+	"math"
+)
+
+// SafeInt64ToInt32 safely converts int64 to int32 with overflow protection
+func SafeInt64ToInt32(value int64) int32 {
+	if value > math.MaxInt32 {
+		return math.MaxInt32
+	}
+	if value < math.MinInt32 {
+		return math.MinInt32
+	}
+	return int32(value)
+}