spectrocloud · AmitSahastra · Sep 16, 2025 · Sep 12, 2025 · Sep 15, 2025
diff --git a/controllers/lxd_initializer_ds.go b/controllers/lxd_initializer_ds.go
@@ -6,7 +6,10 @@ import (
 	"strings"
 
 	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	"sigs.k8s.io/yaml"
@@ -44,7 +47,106 @@ func (r *MaasClusterReconciler) ensureLXDInitializerDS(ctx context.Context, clus
 		return fmt.Errorf("failed to get target cluster client: %v", err)
 	}
 
-	// First clean up any existing DaemonSets in this namespace
+	// If feature is off or cluster is being deleted, we're done
+	if !clusterScope.IsLXDHostEnabled() || !cluster.ObjectMeta.DeletionTimestamp.IsZero() {
+		return nil
+	}
+
+	// Gate: ensure pivot completed. Require mgmt namespace to have clusterEnv=target
+	mgmtNS := &corev1.Namespace{}
+	if err := r.Client.Get(ctx, client.ObjectKey{Name: dsNamespace}, mgmtNS); err != nil {
+		// Namespace not readable yet on management cluster; skip for now
+		return nil
+	}
+	if v := strings.TrimSpace(mgmtNS.Annotations["clusterEnv"]); v != "target" {
+		r.Log.Info("Namespace not marked as target; deferring LXD initializer", "namespace", dsNamespace, "clusterEnv", v)
+		return nil
+	}
+
+	// Gate: derive desired CP count from MaasCloudConfig; fallback to KCP
+	desiredCP := int32(1)
+	readyByKCP := int32(0)
+	// Prefer MaasCloudConfig.spec.machinePoolConfig[].size where isControlPlane=true (sum)
+	{
+		mccList := &unstructured.UnstructuredList{}
+		mccList.SetGroupVersionKind(schema.GroupVersionKind{Group: "cluster.spectrocloud.com", Version: "v1alpha1", Kind: "MaasCloudConfigList"})
+		if err := r.Client.List(ctx, mccList, client.InNamespace(dsNamespace)); err == nil {
+			var sum int64
+			for _, it := range mccList.Items {
+				owned := false
+				for _, or := range it.GetOwnerReferences() {
+					if or.Name == cluster.Name {
+						owned = true
+						break
+					}
+				}
+				if !owned && !strings.HasSuffix(it.GetName(), "-maas-config") {
+					continue
+				}
+				pools, found, _ := unstructured.NestedSlice(it.Object, "spec", "machinePoolConfig")
+				if !found {
+					continue
+				}
+				for _, p := range pools {
+					if mp, ok := p.(map[string]interface{}); ok {
+						isCP, _, _ := unstructured.NestedBool(mp, "isControlPlane")
+						if !isCP {
+							continue
+						}
+						if v, foundSz, _ := unstructured.NestedInt64(mp, "size"); foundSz && v > 0 {
+							sum += v
+						}
+					}
+				}
+				if sum > 0 {
+					desiredCP = int32(sum)
+					break
+				}
+			}
+		}
+	}
+	// Fallback: use KCP if MCC not found
+	if desiredCP == 1 {
+		kcpList := &unstructured.UnstructuredList{}
+		kcpList.SetGroupVersionKind(schema.GroupVersionKind{Group: "controlplane.cluster.x-k8s.io", Version: "v1beta1", Kind: "KubeadmControlPlaneList"})
+		if err := r.Client.List(ctx, kcpList, client.InNamespace(dsNamespace), client.MatchingLabels{
+			"cluster.x-k8s.io/cluster-name": cluster.Name,
+		}); err == nil {
+			if len(kcpList.Items) > 0 {
+				item := kcpList.Items[0]
+				if v, found, _ := unstructured.NestedInt64(item.Object, "spec", "replicas"); found && v > 0 {
+					desiredCP = int32(v)
+				}
+				if v, found, _ := unstructured.NestedInt64(item.Object, "status", "readyReplicas"); found && v >= 0 {
+					readyByKCP = int32(v)
+				}
+			}
+		}
+	}
+
+	nodeList := &corev1.NodeList{}
+	cpSelector := labels.SelectorFromSet(labels.Set{
+		"node-role.kubernetes.io/control-plane": "",
+	})
+	if err := remoteClient.List(ctx, nodeList, &client.ListOptions{LabelSelector: cpSelector}); err == nil {
+		ready := 0
+		for _, n := range nodeList.Items {
+			for _, c := range n.Status.Conditions {
+				if c.Type == corev1.NodeReady && c.Status == corev1.ConditionTrue {
+					ready++
+					break
+				}
+			}
+		}
+		// Proceed when CP nodes are present and Ready, regardless of KCP readyReplicas
+		if int32(len(nodeList.Items)) < desiredCP || int32(ready) < desiredCP {
+			r.Log.Info("Not enough control-plane nodes present/ready yet; skipping DS for now", "desiredCP", desiredCP, "readyByKCP", readyByKCP, "nodeList", len(nodeList.Items), "ready", ready)
+			// Not enough control-plane nodes present/ready yet; skip DS for now
+			return nil
+		}
+	}
+
+	// Clean up any existing DaemonSets in this namespace (old naming/labels)
 	dsList := &appsv1.DaemonSetList{}
 	if err := remoteClient.List(ctx, dsList, client.InNamespace(dsNamespace), client.MatchingLabels{
 		"app": "lxd-initializer",
@@ -59,11 +161,6 @@ func (r *MaasClusterReconciler) ensureLXDInitializerDS(ctx context.Context, clus
 		}
 	}
 
-	// If feature is off or cluster is being deleted, we're done after cleanup
-	if !clusterScope.IsLXDHostEnabled() || !cluster.ObjectMeta.DeletionTimestamp.IsZero() {
-		return nil
-	}
-
 	// Ensure RBAC resources are created on target cluster
 	if err := r.ensureLXDInitializerRBACOnTarget(ctx, remoteClient, dsNamespace); err != nil {
 		return fmt.Errorf("failed to ensure LXD initializer RBAC: %v", err)

diff --git a/controllers/maasmachine_controller.go b/controllers/maasmachine_controller.go
@@ -23,6 +23,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/spectrocloud/maas-client-go/maasclient"
 	"k8s.io/apimachinery/pkg/runtime"
 
 	"github.com/go-logr/logr"
@@ -50,7 +51,6 @@ import (
 	lxd "github.com/spectrocloud/cluster-api-provider-maas/pkg/maas/lxd"
 	maasmachine "github.com/spectrocloud/cluster-api-provider-maas/pkg/maas/machine"
 	"github.com/spectrocloud/cluster-api-provider-maas/pkg/maas/scope"
-	"github.com/spectrocloud/maas-client-go/maasclient"
 )
 
 var ErrRequeueDNS = errors.New("need to requeue DNS")
@@ -226,8 +226,7 @@ func (r *MaasMachineReconciler) reconcileDelete(_ context.Context, machineScope
 		// If MAAS requires VM host removal first, attempt best-effort unregister and retry once
 		if isVMHostRemovalRequiredError(err) {
 			api := clusterScope.GetMaasClientIdentity()
-			// choose ExternalIP first, then InternalIP
-			nodeIP := getNodeIP(m.Addresses)
+
 			// For control-plane BM that backs an LXD VM host, force-delete guest VMs to unblock release
 			if clusterScope.IsLXDHostEnabled() && machineScope.IsControlPlane() {
 				ctx := context.Background()
@@ -243,7 +242,9 @@ func (r *MaasMachineReconciler) reconcileDelete(_ context.Context, machineScope
 									}
 									// Fetch details to confirm and delete
 									if gm, ge := client.Machines().Machine(gid).Get(ctx); ge == nil {
-										_ = client.Machines().Machine(gm.SystemID()).Delete(ctx)
+										if derr := client.Machines().Machine(gm.SystemID()).Delete(ctx); derr != nil {
+											machineScope.Error(derr, "failed to delete guest VM during host release cleanup", "guestSystemID", gm.SystemID())
+										}
 									}
 								}
 							}
@@ -252,6 +253,9 @@ func (r *MaasMachineReconciler) reconcileDelete(_ context.Context, machineScope
 					}
 				}
 			}
+
+			// choose ExternalIP first, then InternalIP
+			nodeIP := getNodeIP(m.Addresses)
 			if nodeIP != "" {
 				if uerr := lxd.UnregisterLXDHostWithMaasClient(api.Token, api.URL, nodeIP); uerr != nil {
 					machineScope.Error(uerr, "failed to unregister LXD VM host prior to release")

diff --git a/controllers/templates/lxd_initializer_ds.yaml b/controllers/templates/lxd_initializer_ds.yaml
@@ -73,7 +73,8 @@ spec:
           mountPropagation: HostToContainer
       containers:
       - name: lxd-initializer
-        image: us-east1-docker.pkg.dev/spectro-images/dev/amit/cluster-api/lxd-initializer:v0.6.1-spectro-4.0.0-dev-11102025-03
+        image: us-east1-docker.pkg.dev/spectro-images/dev/amit/cluster-api/lxd-initializer:v0.6.1-spectro-4.0.0-dev-15102025-01
+        imagePullPolicy: Always
         securityContext:
           privileged: true
         env:

diff --git a/controllers/templates/lxd_initializer_rbac.yaml b/controllers/templates/lxd_initializer_rbac.yaml
@@ -17,7 +17,7 @@ metadata:
 rules:
 - apiGroups: [""]
   resources: ["nodes"]
-  verbs: ["get", "patch", "update"]
+  verbs: ["get", "list", "watch", "patch", "update"]
 - apiGroups: [""]
   resources: ["secrets"]
   verbs: ["list"]

diff --git a/lxd-initializer/lxd-initializer-daemonset.yaml b/lxd-initializer/lxd-initializer-daemonset.yaml
@@ -20,7 +20,7 @@ spec:
       hostPID: true
       containers:
       - name: lxd-initializer
-        image: us-east1-docker.pkg.dev/spectro-images/dev/amit/cluster-api/lxd-initializer:v0.6.1-spectro-4.0.0-dev-11102025-03
+        image: us-east1-docker.pkg.dev/spectro-images/dev/amit/cluster-api/lxd-initializer:v0.6.1-spectro-4.0.0-dev-15102025-01
         imagePullPolicy: Always
         securityContext:
           privileged: true