Skip to content

feat(clusters): key for_each by host, validate hostname uniqueness (#68, #69)#83

Merged
jfreed-dev merged 1 commit into
mainfrom
feat/cluster-host-keying-and-hostname-uniqueness
Jun 26, 2026
Merged

feat(clusters): key for_each by host, validate hostname uniqueness (#68, #69)#83
jfreed-dev merged 1 commit into
mainfrom
feat/cluster-host-keying-and-hostname-uniqueness

Conversation

@jfreed-dev

Copy link
Copy Markdown
Member

Two v1.7.0 (#67) follow-ups for talos-cluster and k3s-cluster, both milestoned v1.8.0.

#69 — key for_each by host, not list index (bug)

The per-node resources keyed for_each positionally:

  • Talos: talos_machine_configuration_apply.{controlplane,worker}
  • K3s: null_resource.{k3s_workers,bootstrap_ssh_workers}, data.tls_public_key.workers_bootstrap

Removing/reordering a node shifted every later index, so Terraform re-targeted the surviving instances at a different host — re-pushing Talos machine config (which a live node rejects with static hostname already set) or re-running the K3s install provisioners. Now keyed by the stable node.host; the Talos local.hostname_patches map is host-keyed to match.

All index-keyed worker for_each blocks in k3s were re-keyed together (not just the install one) so they stay consistent.

#68 — plan-time hostname uniqueness (enhancement)

A duplicate non-blank hostname across control_plane + workers made two nodes register under the same Talos/Kubernetes node identity (kubelet collision, one node shadows the other) with no plan-time signal. A resource lifecycle precondition now fails terraform plan naming the duplicate. Null/empty/whitespace stay exempt.

precondition is the lightest mechanism that actually fails the plan — check {} only warns, cross-variable validation needs TF >= 1.9 — so required_version is raised >= 1.0>= 1.2 in both modules.

⚠️ Migration (existing deployments)

Instance addresses change (…["0"]…["10.10.88.73"]). Existing state must be re-mapped once with tofu state mv before the next apply, or Terraform destroys/recreates the apply resources against live nodes. Per-module recipes are in each README ("Upgrading from < v1.8.0") and docs/UPGRADE.md. moved {} blocks can't ship in a reusable module — the index→host mapping depends on the consumer's node list/order.

Validation

tofu validate + tofu fmt -check pass on both modules. Offline tofu plan confirms:

  • duplicate hostnames → plan fails with the named-duplicate precondition message (both modules)
  • unique + blank hostnames → plan succeeds, resources keyed by host (…["10.0.0.1"])

Docs

  • Both module READMEs: Requirements table >= 1.2, uniqueness note, "Upgrading from < v1.8.0" state-mv recipe
  • docs/UPGRADE.md: new ### v1.8.0 Breaking Changes entry
  • Root README prerequisite >= 1.2
  • CHANGELOG.md: ## [1.8.0] entry (+ restored the missing 1.7.0–1.7.2 compare links)

Closes #68
Closes #69

…, #69)

Two v1.7.0 follow-ups for talos-cluster and k3s-cluster, milestoned v1.8.0.

#69 — key per-node resources by host instead of list index. The Talos
talos_machine_configuration_apply.{controlplane,worker} and the K3s
null_resource.{k3s_workers,bootstrap_ssh_workers} / data.tls_public_key
.workers_bootstrap were keyed positionally, so removing/reordering a node
shifted every later index and re-targeted config at a surviving host (Talos
rejects a re-applied hostname with "static hostname already set"; K3s re-runs
the agent install). Now keyed by the stable host; the Talos hostname_patches
map is host-keyed to match. Instance addresses change, so existing state needs
a one-time `tofu state mv` (recipe in each module README + docs/UPGRADE.md);
moved {} blocks can't ship in a reusable module since the index->host mapping
depends on the consumer's node list.

#68 — validate hostname uniqueness across control_plane + workers at plan time.
A duplicate non-blank hostname makes two nodes register under the same node
identity (kubelet collision). A resource lifecycle precondition now fails the
plan naming the duplicate; null/empty/whitespace stay exempt. precondition is
the lightest mechanism that actually fails the plan (check{} only warns), so
required_version is raised >= 1.0 -> >= 1.2 in both modules; READMEs and the
project prerequisite updated to match.

Validated with `tofu plan`: duplicate hostnames fail with the named-duplicate
message, unique/blank hostnames plan cleanly, resources keyed by host.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@jfreed-dev jfreed-dev added this to the v1.8.0 milestone Jun 26, 2026
@jfreed-dev jfreed-dev merged commit 9f3b51f into main Jun 26, 2026
19 checks passed
@jfreed-dev jfreed-dev deleted the feat/cluster-host-keying-and-hostname-uniqueness branch June 26, 2026 13:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

1 participant