From 427ef94e3d248f67b52aefd45b12914c38d66868 Mon Sep 17 00:00:00 2001
From: kun zhou <kun.zhou@spectrocloud.com>
Date: Thu, 11 Sep 2025 23:29:43 -0700
Subject: [PATCH 1/2] disable-lxd-register, ane make password unique

---
 controllers/templates/lxd_initializer_ds.yaml |  2 +-
 go.mod                                        |  1 +
 go.sum                                        |  4 +-
 lxd-initializer/lxd-initializer.go            |  4 +-
 pkg/maas/lxd/host_maas_client.go              | 86 ++++++++++---------
 pkg/maas/lxd/service.go                       |  2 +-
 6 files changed, 54 insertions(+), 45 deletions(-)

diff --git a/controllers/templates/lxd_initializer_ds.yaml b/controllers/templates/lxd_initializer_ds.yaml
index e6e9967..3eba08d 100644
--- a/controllers/templates/lxd_initializer_ds.yaml
+++ b/controllers/templates/lxd_initializer_ds.yaml
@@ -73,7 +73,7 @@ spec:
           mountPropagation: HostToContainer
       containers:
       - name: lxd-initializer
-        image: "us-east1-docker.pkg.dev/spectro-images/dev/cluster-api/capmaas-lxd-initializer:v0.0.1"
+        image: "us-east1-docker.pkg.dev/spectro-images/dev/cluster-api/capmaas-lxd-initializer:kundiffpass2"
         securityContext:
           privileged: true
         env:
diff --git a/go.mod b/go.mod
index 3e37364..8a5f88b 100644
--- a/go.mod
+++ b/go.mod
@@ -80,5 +80,6 @@ require (
 
 replace (
 	github.com/prometheus/common v0.32.1 => github.com/prometheus/common v0.26.0
+	github.com/spectrocloud/maas-client-go => github.com/spectrocloud/maas-client-go v0.0.8-beta1
 	sigs.k8s.io/structured-merge-diff/v6 => sigs.k8s.io/structured-merge-diff/v4 v4.4.3
 )
diff --git a/go.sum b/go.sum
index a64e220..80211a8 100644
--- a/go.sum
+++ b/go.sum
@@ -166,8 +166,8 @@ github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU
 github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
 github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k=
 github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME=
-github.com/spectrocloud/maas-client-go v0.0.7-beta1 h1:2GryA5JSrjlsvzLaCIGyPfxcaSCPrw7fm8ixMf7aRbY=
-github.com/spectrocloud/maas-client-go v0.0.7-beta1/go.mod h1:CaqAAlh6/xfzc/cDpU8eMG0wqnwx1ODSyXcH86uV7Ww=
+github.com/spectrocloud/maas-client-go v0.0.8-beta1 h1:PCY6M3M9uXZG8dzoe0jNcMnh4nOhJuZBF2C3vsUXp9A=
+github.com/spectrocloud/maas-client-go v0.0.8-beta1/go.mod h1:CaqAAlh6/xfzc/cDpU8eMG0wqnwx1ODSyXcH86uV7Ww=
 github.com/spf13/cast v1.7.0 h1:ntdiHjuueXFgm5nzDRdOS4yfT43P5Fnud6DH50rz/7w=
 github.com/spf13/cast v1.7.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
 github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
diff --git a/lxd-initializer/lxd-initializer.go b/lxd-initializer/lxd-initializer.go
index 93032ee..5a295f3 100644
--- a/lxd-initializer/lxd-initializer.go
+++ b/lxd-initializer/lxd-initializer.go
@@ -278,7 +278,9 @@ func main() {
 
 	trustPassword := *trustPasswordFlag
 	if trustPassword == "" {
-		trustPassword = os.Getenv("TRUST_PASSWORD")
+		basePassword := os.Getenv("TRUST_PASSWORD")
+		trustPassword = basePassword + nodeName
+		log.Printf("Using trust password: %s", trustPassword)
 	}
 
 	// Determine action based on flag or default to both
diff --git a/pkg/maas/lxd/host_maas_client.go b/pkg/maas/lxd/host_maas_client.go
index 1032bb4..c91e4c1 100644
--- a/pkg/maas/lxd/host_maas_client.go
+++ b/pkg/maas/lxd/host_maas_client.go
@@ -81,13 +81,17 @@ func SetupLXDHostWithMaasClient(config HostConfig) error {
 		return nil
 	}
 
-	// Register the host with MAAS as a KVM host
-	if err := registerWithMaasClient(client, config); err != nil {
-		return fmt.Errorf("failed to register with MAAS: %w", err)
-	}
-
-	log.Info("Successfully set up LXD host", "node", config.NodeIP)
+	// Skip automatic registration - manual registration required
+	log.Info("Skipping automatic LXD host registration (manual registration required)", "node", config.NodeIP)
 	return nil
+
+	// Register the host with MAAS as a KVM host (DISABLED)
+	// if err := registerWithMaasClient(client, config); err != nil {
+	// 	return fmt.Errorf("failed to register with MAAS: %w", err)
+	// }
+
+	// log.Info("Successfully set up LXD host", "node", config.NodeIP)
+	// return nil
 }
 
 // normalizeHost extracts the host part from a MAAS power_address or raw string
@@ -138,40 +142,42 @@ func isHostRegisteredWithMaasClient(client maasclient.ClientSetInterface, nodeIP
 }
 
 // registerWithMaasClient registers a host with MAAS as a VM host
-func registerWithMaasClient(client maasclient.ClientSetInterface, config HostConfig) error {
-	ctx := context.Background()
-
-	// Create registration parameters
-	params := maasclient.ParamsBuilder().
-		Set("type", "lxd").
-		Set("power_address", fmt.Sprintf("https://%s:8443", config.NodeIP)).
-		Set("name", fmt.Sprintf("lxd-host-%s", config.NodeIP))
-
-	if config.Zone != "" {
-		// Pass the zone name directly. MAAS API expects the zone name, not ID.
-		params.Set("zone", config.Zone)
-	}
-
-	if config.ResourcePool != "" {
-		// Pass pool name directly.
-		params.Set("pool", config.ResourcePool)
-	}
-
-	if config.TrustPassword != "" {
-		params.Set("password", config.TrustPassword)
-	}
-
-	log := textlogger.NewLogger(textlogger.NewConfig())
-	log.Info("register params", "zone", params.Values().Get("zone"), "pool", params.Values().Get("pool"))
-
-	// Register the host with MAAS
-	_, err := client.VMHosts().Create(ctx, params)
-	if err != nil {
-		return fmt.Errorf("failed to register host with MAAS: %w", err)
-	}
-
-	return nil
-}
+// func registerWithMaasClient(client maasclient.ClientSetInterface, config HostConfig) error {
+// 	ctx := context.Background()
+// 	log := textlogger.NewLogger(textlogger.NewConfig())
+// 	log.Info("registering with MAAS", "node", config.NodeIP, "trust_password", config.TrustPassword)
+
+// 	// Create registration parameters
+// 	params := maasclient.ParamsBuilder().
+// 		Set("type", "lxd").
+// 		Set("power_address", config.NodeIP).
+// 		Set("name", fmt.Sprintf("lxd-host-%s", config.NodeIP)).
+// 		Set("project", "maas")
+
+// 	if config.Zone != "" {
+// 		// Pass the zone name directly. MAAS API expects the zone name, not ID.
+// 		params.Set("zone", config.Zone)
+// 	}
+
+// 	if config.ResourcePool != "" {
+// 		// Pass pool name directly.
+// 		params.Set("pool", config.ResourcePool)
+// 	}
+
+// 	if config.TrustPassword != "" {
+// 		params.Set("password", config.TrustPassword)
+// 	}
+
+// 	log.Info("register params", "zone", params.Values().Get("zone"), "pool", params.Values().Get("pool"))
+
+// 	// Register the host with MAAS
+// 	_, err := client.VMHosts().Create(ctx, params)
+// 	if err != nil {
+// 		return fmt.Errorf("failed to register host with MAAS: %w", err)
+// 	}
+
+// 	return nil
+// }
 
 // GetAvailableLXDHostsWithMaasClient returns a list of available LXD hosts from MAAS
 func GetAvailableLXDHostsWithMaasClient(apiKey, apiEndpoint string) ([]maasclient.VMHost, error) {
diff --git a/pkg/maas/lxd/service.go b/pkg/maas/lxd/service.go
index bf3d9fe..396a4b9 100644
--- a/pkg/maas/lxd/service.go
+++ b/pkg/maas/lxd/service.go
@@ -131,7 +131,7 @@ func (s *Service) setupLXDOnMachine(machine *v1beta1.MaasMachine) error {
 		NetworkBridge:   lxdConfig.NetworkBridge,
 		ResourcePool:    *machine.Spec.ResourcePool,
 		Zone:            *machine.Spec.FailureDomain,
-		TrustPassword:   "capmaas",
+		TrustPassword:   "capmaas" + *machine.Status.Hostname,
 	}
 
 	// Check if LXD initialization is complete on the node before attempting MAAS registration

From 725392c8dcf13a8881abfd37a710d1c44807c488 Mon Sep 17 00:00:00 2001
From: kun zhou <kun.zhou@spectrocloud.com>
Date: Fri, 12 Sep 2025 21:00:34 -0700
Subject: [PATCH 2/2] add lxd vm deletion when deleting lxd host

---
 controllers/maasmachine_controller.go | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/controllers/maasmachine_controller.go b/controllers/maasmachine_controller.go
index 7a76bcd..2e1174f 100644
--- a/controllers/maasmachine_controller.go
+++ b/controllers/maasmachine_controller.go
@@ -27,6 +27,7 @@ import (
 
 	"github.com/go-logr/logr"
 	"github.com/pkg/errors"
+	"github.com/spectrocloud/maas-client-go/maasclient"
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/client-go/tools/record"
@@ -227,6 +228,30 @@ func (r *MaasMachineReconciler) reconcileDelete(_ context.Context, machineScope
 			api := clusterScope.GetMaasClientIdentity()
 			// choose ExternalIP first, then InternalIP
 			nodeIP := getNodeIP(m.Addresses)
+			// For control-plane BM that backs an LXD VM host, force-delete guest VMs to unblock release
+			if clusterScope.IsLXDHostEnabled() && machineScope.IsControlPlane() {
+				ctx := context.Background()
+				client := maasclient.NewAuthenticatedClientSet(api.URL, api.Token)
+				if hosts, herr := client.VMHosts().List(ctx, nil); herr == nil {
+					for _, h := range hosts {
+						if h.HostSystemID() == m.ID {
+							if guests, gerr := h.Machines().List(ctx); gerr == nil {
+								for _, g := range guests {
+									gid := g.SystemID()
+									if gid == "" {
+										continue
+									}
+									// Fetch details to confirm and delete
+									if gm, ge := client.Machines().Machine(gid).Get(ctx); ge == nil {
+										_ = client.Machines().Machine(gm.SystemID()).Delete(ctx)
+									}
+								}
+							}
+							break
+						}
+					}
+				}
+			}
 			if nodeIP != "" {
 				if uerr := lxd.UnregisterLXDHostWithMaasClient(api.Token, api.URL, nodeIP); uerr != nil {
 					machineScope.Error(uerr, "failed to unregister LXD VM host prior to release")