PCP-5152: Multiple node HCP cluster losing interface reference

Author: AmitSahastra

controllers/lxd_initializer_ds.go

@@ -12,6 +12,7 @@ import (
 	"sigs.k8s.io/yaml"
 
 	"github.com/spectrocloud/cluster-api-provider-maas/pkg/maas/scope"
+	"github.com/spectrocloud/cluster-api-provider-maas/pkg/util/trust"
 
 	// embed template
 	_ "embed"
@@ -85,8 +86,12 @@ func (r *MaasClusterReconciler) ensureLXDInitializerDS(ctx context.Context, clus
 	}
 
 	nt := cfg.NICType
+	if nt == "" {
+		nt = "bridged"
+	}
 	np := cfg.NICParent
-	tp := "capmaas"
+	// Deterministic per-cluster trust password derived from cluster UID
+	tp := trust.DeriveTrustPassword(string(cluster.UID))
 
 	rendered := render(map[string]string{
 		"${STORAGE_BACKEND}":     sb,

controllers/maasmachine_controller.go

@@ -50,6 +50,7 @@ import (
 	lxd "github.com/spectrocloud/cluster-api-provider-maas/pkg/maas/lxd"
 	maasmachine "github.com/spectrocloud/cluster-api-provider-maas/pkg/maas/machine"
 	"github.com/spectrocloud/cluster-api-provider-maas/pkg/maas/scope"
+	"github.com/spectrocloud/maas-client-go/maasclient"
 )
 
 var ErrRequeueDNS = errors.New("need to requeue DNS")
@@ -227,6 +228,30 @@ func (r *MaasMachineReconciler) reconcileDelete(_ context.Context, machineScope
 			api := clusterScope.GetMaasClientIdentity()
 			// choose ExternalIP first, then InternalIP
 			nodeIP := getNodeIP(m.Addresses)
+			// For control-plane BM that backs an LXD VM host, force-delete guest VMs to unblock release
+			if clusterScope.IsLXDHostEnabled() && machineScope.IsControlPlane() {
+				ctx := context.Background()
+				client := maasclient.NewAuthenticatedClientSet(api.URL, api.Token)
+				if hosts, herr := client.VMHosts().List(ctx, nil); herr == nil {
+					for _, h := range hosts {
+						if h.HostSystemID() == m.ID {
+							if guests, gerr := h.Machines().List(ctx); gerr == nil {
+								for _, g := range guests {
+									gid := g.SystemID()
+									if gid == "" {
+										continue
+									}
+									// Fetch details to confirm and delete
+									if gm, ge := client.Machines().Machine(gid).Get(ctx); ge == nil {
+										_ = client.Machines().Machine(gm.SystemID()).Delete(ctx)
+									}
+								}
+							}
+							break
+						}
+					}
+				}
+			}
 			if nodeIP != "" {
 				if uerr := lxd.UnregisterLXDHostWithMaasClient(api.Token, api.URL, nodeIP); uerr != nil {
 					machineScope.Error(uerr, "failed to unregister LXD VM host prior to release")

go.mod

@@ -11,7 +11,7 @@ require (
 	github.com/onsi/ginkgo v1.16.5
 	github.com/onsi/gomega v1.36.1
 	github.com/pkg/errors v0.9.1
-	github.com/spectrocloud/maas-client-go v0.0.7-beta1
+	github.com/spectrocloud/maas-client-go v0.0.8-beta1
 	github.com/spf13/pflag v1.0.5
 	k8s.io/api v0.31.3
 	k8s.io/apiextensions-apiserver v0.31.3

go.sum

@@ -166,8 +166,8 @@ github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU
 github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
 github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k=
 github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME=
-github.com/spectrocloud/maas-client-go v0.0.7-beta1 h1:2GryA5JSrjlsvzLaCIGyPfxcaSCPrw7fm8ixMf7aRbY=
-github.com/spectrocloud/maas-client-go v0.0.7-beta1/go.mod h1:CaqAAlh6/xfzc/cDpU8eMG0wqnwx1ODSyXcH86uV7Ww=
+github.com/spectrocloud/maas-client-go v0.0.8-beta1 h1:PCY6M3M9uXZG8dzoe0jNcMnh4nOhJuZBF2C3vsUXp9A=
+github.com/spectrocloud/maas-client-go v0.0.8-beta1/go.mod h1:CaqAAlh6/xfzc/cDpU8eMG0wqnwx1ODSyXcH86uV7Ww=
 github.com/spf13/cast v1.7.0 h1:ntdiHjuueXFgm5nzDRdOS4yfT43P5Fnud6DH50rz/7w=
 github.com/spf13/cast v1.7.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
 github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=

lxd-initializer/go.mod

@@ -4,7 +4,7 @@ go 1.24.5
 
 require (
 	github.com/canonical/lxd v0.0.0-20250730070707-c4a122e242bb
-	github.com/spectrocloud/maas-client-go v0.0.6-beta1
+	github.com/spectrocloud/maas-client-go v0.0.8-beta1
 	k8s.io/apimachinery v0.31.3
 	k8s.io/client-go v0.31.3
 )

lxd-initializer/go.sum

@@ -103,8 +103,8 @@ github.com/rs/cors v1.11.1 h1:eU3gRzXLRK57F5rKMGMZURNdIG4EoAmX8k94r9wXWHA=
 github.com/rs/cors v1.11.1/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
-github.com/spectrocloud/maas-client-go v0.0.6-beta1 h1:sajM2xeYEQNe/3ObyIkTxJJEsy2OM9w4loYsmDCzqio=
-github.com/spectrocloud/maas-client-go v0.0.6-beta1/go.mod h1:CaqAAlh6/xfzc/cDpU8eMG0wqnwx1ODSyXcH86uV7Ww=
+github.com/spectrocloud/maas-client-go v0.0.8-beta1 h1:PCY6M3M9uXZG8dzoe0jNcMnh4nOhJuZBF2C3vsUXp9A=
+github.com/spectrocloud/maas-client-go v0.0.8-beta1/go.mod h1:CaqAAlh6/xfzc/cDpU8eMG0wqnwx1ODSyXcH86uV7Ww=
 github.com/spf13/pflag v1.0.7 h1:vN6T9TfwStFPFM5XzjsvmzZkLuaLX+HS+0SeFLRgU6M=
 github.com/spf13/pflag v1.0.7/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=

lxd-initializer/lxd-initializer.go

@@ -175,6 +175,89 @@ func getMachineInfoFromMaas(nodeName, maasAPIKey, maasEndpoint string) (zone, re
 	return zone, resourcePool, bootInterface, nil
 }
 
+// registerWithMAAS registers the node as an LXD VM host in MAAS (idempotent)
+func registerWithMAAS(maasEndpoint, maasAPIKey, systemID, nodeIP, trustPassword, zone, resourcePool, hostName string) error {
+	if maasEndpoint == "" || maasAPIKey == "" {
+		return fmt.Errorf("MAAS credentials unavailable")
+	}
+	ctx := context.Background()
+	client := maasclient.NewAuthenticatedClientSet(maasEndpoint, maasAPIKey)
+
+	// Guard 1: Verify the MAAS machine identified by systemID owns nodeIP (or derive power IP)
+	m, err := client.Machines().Machine(systemID).Get(ctx)
+	if err != nil {
+		return fmt.Errorf("get machine %s: %w", systemID, err)
+	}
+	hostIP := nodeIP
+	owns := false
+	for _, ip := range m.IPAddresses() {
+		if ip.String() == nodeIP {
+			owns = true
+			break
+		}
+	}
+	if !owns {
+		ips := m.IPAddresses()
+		if len(ips) == 0 {
+			return fmt.Errorf("ownership check failed: system-id %s has no IPs; cannot register", systemID)
+		}
+		hostIP = ips[0].String()
+	}
+
+	// Idempotency/conflict checks via API for speed
+	hosts, err := client.VMHosts().List(ctx, nil)
+	if err != nil {
+		return fmt.Errorf("list vm hosts: %w", err)
+	}
+	wantHost := fmt.Sprintf("https://%s:8443", hostIP)
+	for _, h := range hosts {
+		if h.PowerAddress() == wantHost && h.HostSystemID() != "" && h.HostSystemID() != systemID {
+			return fmt.Errorf("conflict: existing VM host %s uses %s mapped to %s", h.Name(), wantHost, h.HostSystemID())
+		}
+		if h.Name() == hostName || h.PowerAddress() == wantHost {
+			log.Printf("MAAS VM host already present: name=%s power_address=%s", h.Name(), h.PowerAddress())
+			return nil
+		}
+	}
+
+	// Prefer MAAS CLI for creation to match manual success path
+	if _, err := exec.LookPath("maas"); err == nil {
+		profile := "ds"
+		// Non-interactive login (idempotent)
+		_ = runCmd("maas", []string{"login", profile, maasEndpoint, maasAPIKey})
+		args := []string{profile, "vm-hosts", "create", "type=lxd", fmt.Sprintf("power_address=%s", wantHost), fmt.Sprintf("password=%s", trustPassword), fmt.Sprintf("name=%s", hostName)}
+		// Do not pass zone/pool on create
+		if err := runCmd("maas", args); err != nil {
+			return fmt.Errorf("maas cli create failed: %w", err)
+		}
+		log.Printf("MAAS VM host registered via CLI: %s (%s)", hostName, wantHost)
+		return nil
+	}
+
+	// Fallback: minimal API create
+	params := maasclient.ParamsBuilder().
+		Set("type", "lxd").
+		Set("power_address", wantHost).
+		Set("name", hostName)
+	if trustPassword != "" {
+		params.Set("password", trustPassword)
+	}
+	if _, err := client.VMHosts().Create(ctx, params); err != nil {
+		return fmt.Errorf("create vm host: %w", err)
+	}
+	log.Printf("MAAS VM host registered via API: %s (%s)", hostName, wantHost)
+	return nil
+}
+
+func runCmd(bin string, args []string) error {
+	cmd := exec.Command(bin, args...)
+	out, err := cmd.CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("%s %v: %s", bin, args, string(out))
+	}
+	return nil
+}
+
 func main() {
 	log.Println("Starting LXD initializer")
 
@@ -218,7 +301,13 @@ func main() {
 	maasAPIKey := *maasAPIKeyFlag
 	maasEndpoint := *maasEndpointFlag
 
-	// If flags are not provided, try to read from the Kubernetes secret
+	// If flags are not provided, use env (set by DS rendering) or try to read from the Kubernetes secret
+	if maasEndpoint == "" {
+		maasEndpoint = os.Getenv("MAAS_ENDPOINT")
+	}
+	if maasAPIKey == "" {
+		maasAPIKey = os.Getenv("MAAS_API_KEY")
+	}
 	if maasAPIKey == "" || maasEndpoint == "" {
 		if secretEndpoint, secretAPIKey, err := getMaasCredentialsFromSecret(); err == nil {
 			if maasEndpoint == "" {
@@ -245,7 +334,16 @@ func main() {
 		storageSize = "50"
 	}
 
-	nicType := "macvlan"
+	// Determine NIC type and parent
+	// NIC_TYPE env supports values like "bridge"/"bridged" or "macvlan". Default to bridge.
+	nicTypeEnv := os.Getenv("NIC_TYPE")
+	if nicTypeEnv == "" {
+		nicTypeEnv = "bridge"
+	}
+	nicMode := strings.ToLower(nicTypeEnv)
+	if nicMode == "bridged" {
+		nicMode = "bridge"
+	}
 
 	networkBridge := *networkBridgeFlag
 	if networkBridge == "" {
@@ -264,9 +362,19 @@ func main() {
 	log.Printf("Resource pool retrieved from MAAS: %s", resourcePool)
 	log.Printf("Boot interface retrieved from MAAS: %s", bootInterfaceName)
 
-	nicParent := bootInterfaceName
+	nicParent := os.Getenv("NIC_PARENT")
+	if nicParent == "" {
+		nicParent = bootInterfaceName
+	}
 
-	log.Printf("Using NIC type=%s parent=%s", nicType, nicParent)
+	// Log final NIC config
+	log.Printf("Using NIC mode=%s (device nictype=%s) parent=%s", nicMode, func() string {
+		if nicMode == "bridge" {
+			return "bridged"
+		} else {
+			return nicMode
+		}
+	}(), nicParent)
 
 	skipNetworkUpdate := *skipNetworkUpdateFlag
 	if !skipNetworkUpdate {
@@ -290,7 +398,7 @@ func main() {
 	// Perform actions based on the specified action
 	if actionStr == "init" || actionStr == "both" {
 		// Initialize LXD
-		if err := initializeLXD(storageBackend, storageSize, networkBridge, skipNetworkUpdate, trustPassword, nicType, nicParent); err != nil {
+		if err := initializeLXD(storageBackend, storageSize, networkBridge, skipNetworkUpdate, trustPassword, nicMode, nicParent); err != nil {
 			log.Fatalf("Failed to initialize LXD: %v", err)
 		}
 
@@ -305,6 +413,18 @@ func main() {
 		}
 	}
 
+	if actionStr == "register" || actionStr == "both" {
+		// Build a stable host name using MAAS system-id
+		systemID, sErr := extractSystemIDFromNodeName(nodeName)
+		if sErr != nil {
+			log.Fatalf("Failed to extract system ID from node name: %v", sErr)
+		}
+		hostName := fmt.Sprintf("lxd-host-%s", systemID)
+		if err := registerWithMAAS(maasEndpoint, maasAPIKey, systemID, nodeIP, trustPassword, zone, resourcePool, hostName); err != nil {
+			log.Fatalf("Failed to register LXD host in MAAS: %v", err)
+		}
+	}
+
 	// If running as a standalone binary, exit after completing the actions
 	if actionStr == "once" {
 		log.Println("Actions completed successfully")
@@ -602,6 +722,11 @@ func ensureMAASProfile(c lxdclient.InstanceServer, nicType, nicParent, pool stri
 			return nil // already present
 		}
 	}
+	// Map network mode to device nictype expected by LXD
+	deviceNictype := nicType
+	if deviceNictype == "bridge" {
+		deviceNictype = "bridged"
+	}
 	profile := api.ProfilesPost{
 		Name: profileName,
 		ProfilePut: api.ProfilePut{
@@ -614,7 +739,7 @@ func ensureMAASProfile(c lxdclient.InstanceServer, nicType, nicParent, pool stri
 				},
 				"eth0": {
 					"type":    "nic",
-					"nictype": nicType,
+					"nictype": deviceNictype,
 					"parent":  nicParent,
 					"name":    "eth0",
 				},

pkg/maas/lxd/host_maas_client.go

@@ -28,6 +28,7 @@ import (
 // HostConfig contains the configuration for setting up an LXD host
 type HostConfig struct {
 	NodeIP          string
+	HostName        string
 	MaasAPIKey      string
 	MaasAPIEndpoint string
 	StorageBackend  string
@@ -142,10 +143,14 @@ func registerWithMaasClient(client maasclient.ClientSetInterface, config HostCon
 	ctx := context.Background()
 
 	// Create registration parameters
+	name := config.HostName
+	if name == "" {
+		name = fmt.Sprintf("lxd-host-%s", config.NodeIP)
+	}
 	params := maasclient.ParamsBuilder().
 		Set("type", "lxd").
 		Set("power_address", fmt.Sprintf("https://%s:8443", config.NodeIP)).
-		Set("name", fmt.Sprintf("lxd-host-%s", config.NodeIP))
+		Set("name", name)
 
 	if config.Zone != "" {
 		// Pass the zone name directly. MAAS API expects the zone name, not ID.
@@ -162,7 +167,7 @@ func registerWithMaasClient(client maasclient.ClientSetInterface, config HostCon
 	}
 
 	log := textlogger.NewLogger(textlogger.NewConfig())
-	log.Info("register params", "zone", params.Values().Get("zone"), "pool", params.Values().Get("pool"))
+	log.Info("register params", "zone", params.Values().Get("zone"), "pool", params.Values().Get("pool"), "name", name)
 
 	// Register the host with MAAS
 	_, err := client.VMHosts().Create(ctx, params)