siderolabs
diff --git a/‎go.mod‎
Lines changed: 1 addition & 1 deletion b/‎go.mod‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎hack/release.toml‎
Lines changed: 13 additions & 0 deletions b/‎hack/release.toml‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎internal/app/machined/pkg/controllers/network/link_alias_config.go‎
Lines changed: 47 additions & 13 deletions b/‎internal/app/machined/pkg/controllers/network/link_alias_config.go‎
Lines changed: 47 additions & 13 deletions
diff --git a/‎internal/app/machined/pkg/controllers/network/link_alias_config_test.go‎
Lines changed: 157 additions & 27 deletions b/‎internal/app/machined/pkg/controllers/network/link_alias_config_test.go‎
Lines changed: 157 additions & 27 deletions
diff --git a/‎pkg/machinery/config/config/network.go‎
Lines changed: 1 addition & 0 deletions b/‎pkg/machinery/config/config/network.go‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎pkg/machinery/config/schemas/config.schema.json‎
Lines changed: 6 additions & 6 deletions b/‎pkg/machinery/config/schemas/config.schema.json‎
Lines changed: 6 additions & 6 deletions
@@ -190,7 +190,6 @@ require (
 	google.golang.org/protobuf v1.36.12-0.20260120151049-f2248ac996af
 	gopkg.in/typ.v4 v4.4.0
 	k8s.io/klog/v2 v2.130.1
-	k8s.io/utils v0.0.0-20260108192941-914a6e750570
 	kernel.org/pub/linux/libs/security/libcap/cap v1.2.77
 	sigs.k8s.io/cli-utils v0.37.3-0.20250918194211-77c836a69463
 	sigs.k8s.io/hydrophone v0.7.0
@@ -369,6 +368,7 @@ require (
 	k8s.io/cli-runtime v0.35.0 // indirect
 	k8s.io/component-helpers v0.35.0 // indirect
 	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
+	k8s.io/utils v0.0.0-20260108192941-914a6e750570 // indirect
 	kernel.org/pub/linux/libs/security/libcap/psx v1.2.77 // indirect
 	rsc.io/qr v0.2.0 // indirect
 	sigs.k8s.io/controller-runtime v0.22.2 // indirect
 
@@ -129,6 +129,19 @@ A new `KubeSpanConfig` document has been introduced to configure KubeSpan settin
 It replaces and deprecates the previous method of configuring KubeSpan via the `.machine.network.kubespan` field.
 
 The old configuration field will continue to work for backward compatibility.
+"""
+
+    [notes.link_alias_config]
+        title = "LinkAliasConfig Pattern-Based Multi-Alias"
+        description = """\
+`LinkAliasConfig` now supports pattern-based alias names using `%d` format verb (e.g. `net%d`).
+
+When the alias name contains a `%d` format verb, the selector is allowed to match multiple links.
+Each matched link receives a sequential alias (e.g. `net0`, `net1`, ...) based on hardware address order
+of the links. Links already aliased by a previous config are automatically skipped.
+
+This enables creating stable aliases from any N links using a single config document,
+useful for `BondConfig` and `BridgeConfig` member interfaces on varying hardware.
 """
 
     [notes.extraArgs]
 
@@ -5,9 +5,12 @@
 package network
 
 import (
+	"bytes"
 	"context"
 	"fmt"
 	"slices"
+	"strconv"
+	"strings"
 
 	"github.com/cosi-project/runtime/pkg/controller"
 	"github.com/cosi-project/runtime/pkg/safe"
@@ -89,6 +92,21 @@ func (ctrl *LinkAliasConfigController) Run(ctx context.Context, r controller.Run
 			return item.TypedSpec().Physical()
 		})
 
+		// sort the links by MAC address to ensure consistent alias assignment for pattern-based configs
+		slices.SortFunc(physicalLinks, func(a, b *network.LinkStatus) int {
+			addrA := a.TypedSpec().PermanentAddr
+			if len(addrA) == 0 {
+				addrA = a.TypedSpec().HardwareAddr
+			}
+
+			addrB := b.TypedSpec().PermanentAddr
+			if len(addrB) == 0 {
+				addrB = b.TypedSpec().HardwareAddr
+			}
+
+			return bytes.Compare(addrA, addrB)
+		})
+
 		physicalLinkSpecs := make([]*networkpb.LinkStatusSpec, 0, len(physicalLinks))
 
 		for _, link := range physicalLinks {
@@ -107,6 +125,11 @@ func (ctrl *LinkAliasConfigController) Run(ctx context.Context, r controller.Run
 			linkAliasConfigs = cfg.Config().NetworkLinkAliasConfigs()
 		}
 
+		// sort the link alias configs by name to ensure deterministic processing order
+		slices.SortFunc(linkAliasConfigs, func(a, b configconfig.NetworkLinkAliasConfig) int {
+			return strings.Compare(a.Name(), b.Name())
+		})
+
 		linkAliases := map[string]string{}
 
 		for _, lac := range linkAliasConfigs {
@@ -125,11 +148,8 @@ func (ctrl *LinkAliasConfigController) Run(ctx context.Context, r controller.Run
 				}
 			}
 
-			if len(matchedLinks) == 0 {
-				continue
-			}
-
-			if len(matchedLinks) > 1 {
+			// Fixed name: require exactly one match
+			if len(matchedLinks) > 1 && !lac.IsPatternAlias() {
 				logger.Warn("link selector matched multiple links, skipping",
 					zap.String("selector", lac.LinkSelector().String()),
 					zap.String("alias", lac.Name()),
@@ -141,19 +161,33 @@ func (ctrl *LinkAliasConfigController) Run(ctx context.Context, r controller.Run
 				continue
 			}
 
-			matchedLink := matchedLinks[0]
+			matchedLinks = xslices.Filter(matchedLinks, func(matchedLink *network.LinkStatus) bool {
+				_, alreadyAliased := linkAliases[matchedLink.Metadata().ID()]
+				if alreadyAliased {
+					logger.Warn("link already has an alias, skipping",
+						zap.String("link", matchedLink.Metadata().ID()),
+						zap.String("existing_alias", linkAliases[matchedLink.Metadata().ID()]),
+						zap.String("new_alias", lac.Name()),
+					)
+				}
 
-			if _, ok := linkAliases[matchedLink.Metadata().ID()]; ok {
-				logger.Warn("link already has an alias, skipping",
-					zap.String("link", matchedLink.Metadata().ID()),
-					zap.String("existing_alias", linkAliases[matchedLink.Metadata().ID()]),
-					zap.String("new_alias", lac.Name()),
-				)
+				return !alreadyAliased
+			})
 
+			if len(matchedLinks) == 0 {
 				continue
 			}
 
-			linkAliases[matchedLink.Metadata().ID()] = lac.Name()
+			if lac.IsPatternAlias() {
+				// Pattern-based name: create sequential aliases for each matched link in name order
+				for counter, matchedLink := range matchedLinks {
+					linkAliases[matchedLink.Metadata().ID()] = strings.Replace(lac.Name(), "%d", strconv.Itoa(counter), 1)
+				}
+			} else {
+				matchedLink := matchedLinks[0]
+
+				linkAliases[matchedLink.Metadata().ID()] = lac.Name()
+			}
 		}
 
 		for linkID, alias := range linkAliases {
 
@@ -29,6 +29,25 @@ type LinkAliasConfigSuite struct {
 	ctest.DefaultSuite
 }
 
+type testLink struct {
+	name          string
+	permanentAddr string
+}
+
+func (suite *LinkAliasConfigSuite) createLinks(links []testLink) {
+	for _, link := range links {
+		pAddr, err := net.ParseMAC(link.permanentAddr)
+		suite.Require().NoError(err)
+
+		status := network.NewLinkStatus(network.NamespaceName, link.name)
+		status.TypedSpec().PermanentAddr = nethelpers.HardwareAddr(pAddr)
+		status.TypedSpec().HardwareAddr = nethelpers.HardwareAddr(pAddr)
+		status.TypedSpec().Type = nethelpers.LinkEther
+
+		suite.Create(status)
+	}
+}
+
 func (suite *LinkAliasConfigSuite) TestMachineConfigurationNewStyle() {
 	lc1 := networkcfg.NewLinkAliasConfigV1Alpha1("net0")
 	lc1.Selector.Match = cel.MustExpression(cel.ParseBooleanExpression(`glob("00:1a:2b:*", mac(link.permanent_addr))`, celenv.LinkLocator()))
@@ -42,33 +61,11 @@ func (suite *LinkAliasConfigSuite) TestMachineConfigurationNewStyle() {
 	cfg := config.NewMachineConfig(ctr)
 	suite.Create(cfg)
 
-	for _, link := range []struct {
-		name          string
-		permanentAddr string
-	}{
-		{
-			name:          "enp0s2",
-			permanentAddr: "00:1a:2b:33:44:55",
-		},
-		{
-			name:          "enp1s3",
-			permanentAddr: "33:44:55:66:77:88",
-		},
-		{
-			name:          "enp1s4",
-			permanentAddr: "33:44:55:66:77:89",
-		},
-	} {
-		pAddr, err := net.ParseMAC(link.permanentAddr)
-		suite.Require().NoError(err)
-
-		status := network.NewLinkStatus(network.NamespaceName, link.name)
-		status.TypedSpec().PermanentAddr = nethelpers.HardwareAddr(pAddr)
-		status.TypedSpec().HardwareAddr = nethelpers.HardwareAddr(pAddr)
-		status.TypedSpec().Type = nethelpers.LinkEther
-
-		suite.Create(status)
-	}
+	suite.createLinks([]testLink{
+		{name: "enp0s2", permanentAddr: "00:1a:2b:33:44:55"},
+		{name: "enp1s3", permanentAddr: "33:44:55:66:77:88"},
+		{name: "enp1s4", permanentAddr: "33:44:55:66:77:89"},
+	})
 
 	rtestutils.AssertResource(suite.Ctx(), suite.T(), suite.State(), "enp0s2", func(spec *network.LinkAliasSpec, asrt *assert.Assertions) {
 		asrt.Equal("net0", spec.TypedSpec().Alias)
@@ -81,6 +78,139 @@ func (suite *LinkAliasConfigSuite) TestMachineConfigurationNewStyle() {
 	rtestutils.AssertNoResource[*network.LinkAliasSpec](suite.Ctx(), suite.T(), suite.State(), "enp0s2")
 }
 
+func (suite *LinkAliasConfigSuite) TestMachineConfigurationTwoAliasesSameLink() {
+	lc1 := networkcfg.NewLinkAliasConfigV1Alpha1("net1")
+	lc1.Selector.Match = cel.MustExpression(cel.ParseBooleanExpression(`glob("00:1a:2b:*", mac(link.permanent_addr))`, celenv.LinkLocator()))
+
+	lc2 := networkcfg.NewLinkAliasConfigV1Alpha1("net0")
+	lc2.Selector.Match = cel.MustExpression(cel.ParseBooleanExpression(`glob("00:1a:2b:33:*", mac(link.permanent_addr))`, celenv.LinkLocator()))
+
+	ctr, err := container.New(lc1, lc2)
+	suite.Require().NoError(err)
+
+	cfg := config.NewMachineConfig(ctr)
+	suite.Create(cfg)
+
+	suite.createLinks([]testLink{
+		{name: "enp0s2", permanentAddr: "00:1a:2b:33:44:55"},
+	})
+
+	// the "smallest" alias (net0) should win, net1 should be ignored since it conflicts with net0
+	rtestutils.AssertResource(suite.Ctx(), suite.T(), suite.State(), "enp0s2", func(spec *network.LinkAliasSpec, asrt *assert.Assertions) {
+		asrt.Equal("net0", spec.TypedSpec().Alias)
+	})
+}
+
+func (suite *LinkAliasConfigSuite) TestPatternAliasSortsByMAC() {
+	// Test that pattern aliases are assigned in alphabetical order, regardless of creation order
+	lc1 := networkcfg.NewLinkAliasConfigV1Alpha1("net%d")
+	lc1.Selector.Match = cel.MustExpression(cel.ParseBooleanExpression(`link.type == 1`, celenv.LinkLocator()))
+
+	ctr, err := container.New(lc1)
+	suite.Require().NoError(err)
+
+	cfg := config.NewMachineConfig(ctr)
+	suite.Create(cfg)
+
+	// Create links out of order
+	suite.createLinks([]testLink{
+		{name: "enp1s4", permanentAddr: "33:44:55:66:77:88"},
+		{name: "enp0s2", permanentAddr: "00:1a:2b:33:44:55"},
+		{name: "enp1s3", permanentAddr: "33:44:55:66:77:89"},
+	})
+
+	// Aliases should follow alphabetical order of link name
+	rtestutils.AssertResource(suite.Ctx(), suite.T(), suite.State(), "enp0s2", func(spec *network.LinkAliasSpec, asrt *assert.Assertions) {
+		asrt.Equal("net0", spec.TypedSpec().Alias)
+	})
+	rtestutils.AssertResource(suite.Ctx(), suite.T(), suite.State(), "enp1s3", func(spec *network.LinkAliasSpec, asrt *assert.Assertions) {
+		asrt.Equal("net2", spec.TypedSpec().Alias)
+	})
+	rtestutils.AssertResource(suite.Ctx(), suite.T(), suite.State(), "enp1s4", func(spec *network.LinkAliasSpec, asrt *assert.Assertions) {
+		asrt.Equal("net1", spec.TypedSpec().Alias)
+	})
+
+	suite.Destroy(cfg)
+}
+
+func (suite *LinkAliasConfigSuite) TestPatternSkipsAlreadyAliased() {
+	// Test that a fixed-name config claims a link, and a subsequent pattern config skips it
+	lc1 := networkcfg.NewLinkAliasConfigV1Alpha1("mgmt0")
+	lc1.Selector.Match = cel.MustExpression(cel.ParseBooleanExpression(`mac(link.permanent_addr) == "00:1a:2b:33:44:55"`, celenv.LinkLocator()))
+
+	lc2 := networkcfg.NewLinkAliasConfigV1Alpha1("net%d")
+	lc2.Selector.Match = cel.MustExpression(cel.ParseBooleanExpression(`link.type == 1`, celenv.LinkLocator()))
+
+	ctr, err := container.New(lc1, lc2)
+	suite.Require().NoError(err)
+
+	cfg := config.NewMachineConfig(ctr)
+	suite.Create(cfg)
+
+	suite.createLinks([]testLink{
+		{name: "enp0s2", permanentAddr: "00:1a:2b:33:44:55"},
+		{name: "enp1s3", permanentAddr: "33:44:55:66:77:88"},
+		{name: "enp1s4", permanentAddr: "33:44:55:66:77:89"},
+	})
+
+	// enp0s2 gets mgmt0 from the fixed-name config
+	rtestutils.AssertResource(suite.Ctx(), suite.T(), suite.State(), "enp0s2", func(spec *network.LinkAliasSpec, asrt *assert.Assertions) {
+		asrt.Equal("mgmt0", spec.TypedSpec().Alias)
+	})
+	// enp1s3 and enp1s4 get net0 and net1 from the pattern config (enp0s2 skipped)
+	rtestutils.AssertResource(suite.Ctx(), suite.T(), suite.State(), "enp1s3", func(spec *network.LinkAliasSpec, asrt *assert.Assertions) {
+		asrt.Equal("net0", spec.TypedSpec().Alias)
+	})
+	rtestutils.AssertResource(suite.Ctx(), suite.T(), suite.State(), "enp1s4", func(spec *network.LinkAliasSpec, asrt *assert.Assertions) {
+		asrt.Equal("net1", spec.TypedSpec().Alias)
+	})
+
+	suite.Destroy(cfg)
+}
+
+func (suite *LinkAliasConfigSuite) TestPatternReconcileOnLinkChange() {
+	// Test that when links change, pattern aliases are reconciled (re-numbered)
+	lc1 := networkcfg.NewLinkAliasConfigV1Alpha1("net%d")
+	lc1.Selector.Match = cel.MustExpression(cel.ParseBooleanExpression(`link.type == 1`, celenv.LinkLocator()))
+
+	ctr, err := container.New(lc1)
+	suite.Require().NoError(err)
+
+	cfg := config.NewMachineConfig(ctr)
+	suite.Create(cfg)
+
+	suite.createLinks([]testLink{
+		{name: "enp0s2", permanentAddr: "00:1a:2b:33:44:55"},
+		{name: "enp1s3", permanentAddr: "33:44:55:66:77:88"},
+		{name: "enp1s4", permanentAddr: "33:44:55:66:77:89"},
+	})
+
+	// Initial state: net0, net1, net2
+	rtestutils.AssertResource(suite.Ctx(), suite.T(), suite.State(), "enp0s2", func(spec *network.LinkAliasSpec, asrt *assert.Assertions) {
+		asrt.Equal("net0", spec.TypedSpec().Alias)
+	})
+	rtestutils.AssertResource(suite.Ctx(), suite.T(), suite.State(), "enp1s3", func(spec *network.LinkAliasSpec, asrt *assert.Assertions) {
+		asrt.Equal("net1", spec.TypedSpec().Alias)
+	})
+	rtestutils.AssertResource(suite.Ctx(), suite.T(), suite.State(), "enp1s4", func(spec *network.LinkAliasSpec, asrt *assert.Assertions) {
+		asrt.Equal("net2", spec.TypedSpec().Alias)
+	})
+
+	// Remove the middle link — aliases should be re-numbered
+	suite.Destroy(network.NewLinkStatus(network.NamespaceName, "enp1s3"))
+
+	// enp1s3 alias should be cleaned up, enp1s4 re-numbered to net1
+	rtestutils.AssertNoResource[*network.LinkAliasSpec](suite.Ctx(), suite.T(), suite.State(), "enp1s3")
+	rtestutils.AssertResource(suite.Ctx(), suite.T(), suite.State(), "enp0s2", func(spec *network.LinkAliasSpec, asrt *assert.Assertions) {
+		asrt.Equal("net0", spec.TypedSpec().Alias)
+	})
+	rtestutils.AssertResource(suite.Ctx(), suite.T(), suite.State(), "enp1s4", func(spec *network.LinkAliasSpec, asrt *assert.Assertions) {
+		asrt.Equal("net1", spec.TypedSpec().Alias)
+	})
+
+	suite.Destroy(cfg)
+}
+
 func TestLinkAliasConfigSuite(t *testing.T) {
 	t.Parallel()
 
 
@@ -175,6 +175,7 @@ type NetworkRouteConfig interface {
 type NetworkLinkAliasConfig interface {
 	NamedDocument
 	LinkSelector() cel.Expression
+	IsPatternAlias() bool
 }
 
 // NetworkDHCPConfig defines a DHCP configuration for a network link.
 
@@ -2457,16 +2457,16 @@
         "name": {
           "type": "string",
           "title": "name",
-          "description": "Alias for the link.\n\nDon’t use system interface names like “eth0”, “ens3”, “enp0s2”, etc. as those may conflict\nwith existing physical interfaces.\n",
-          "markdownDescription": "Alias for the link.\n\nDon't use system interface names like \"eth0\", \"ens3\", \"enp0s2\", etc. as those may conflict\nwith existing physical interfaces.",
-          "x-intellij-html-description": "\u003cp\u003eAlias for the link.\u003c/p\u003e\n\n\u003cp\u003eDon\u0026rsquo;t use system interface names like \u0026ldquo;eth0\u0026rdquo;, \u0026ldquo;ens3\u0026rdquo;, \u0026ldquo;enp0s2\u0026rdquo;, etc. as those may conflict\nwith existing physical interfaces.\u003c/p\u003e\n"
+          "description": "Alias for the link.\n\nDon’t use system interface names like “eth0”, “ens3”, “enp0s2”, etc. as those may conflict\nwith existing physical interfaces.\n\nThe name can contain a single integer format verb (%d) to create multiple aliases\nfrom a single config document. When a format verb is detected, each matched link receives a sequential\nalias (e.g. net0, net1, …) based on hardware address order of the links.\nLinks already aliased by a previous config are automatically skipped.\n",
+          "markdownDescription": "Alias for the link.\n\nDon't use system interface names like \"eth0\", \"ens3\", \"enp0s2\", etc. as those may conflict\nwith existing physical interfaces.\n\nThe name can contain a single integer format verb (`%d`) to create multiple aliases\nfrom a single config document. When a format verb is detected, each matched link receives a sequential\nalias (e.g. `net0`, `net1`, ...) based on hardware address order of the links.\nLinks already aliased by a previous config are automatically skipped.",
+          "x-intellij-html-description": "\u003cp\u003eAlias for the link.\u003c/p\u003e\n\n\u003cp\u003eDon\u0026rsquo;t use system interface names like \u0026ldquo;eth0\u0026rdquo;, \u0026ldquo;ens3\u0026rdquo;, \u0026ldquo;enp0s2\u0026rdquo;, etc. as those may conflict\nwith existing physical interfaces.\u003c/p\u003e\n\n\u003cp\u003eThe name can contain a single integer format verb (\u003ccode\u003e%d\u003c/code\u003e) to create multiple aliases\nfrom a single config document. When a format verb is detected, each matched link receives a sequential\nalias (e.g. \u003ccode\u003enet0\u003c/code\u003e, \u003ccode\u003enet1\u003c/code\u003e, \u0026hellip;) based on hardware address order of the links.\nLinks already aliased by a previous config are automatically skipped.\u003c/p\u003e\n"
         },
         "selector": {
           "$ref": "#/$defs/network.LinkSelector",
           "title": "selector",
-          "description": "Selector to match the link to alias.\n\nSelector must match exactly one link, otherwise an error is returned.\nIf multiple selectors match the same link, the first one is used.\n",
-          "markdownDescription": "Selector to match the link to alias.\n\nSelector must match exactly one link, otherwise an error is returned.\nIf multiple selectors match the same link, the first one is used.",
-          "x-intellij-html-description": "\u003cp\u003eSelector to match the link to alias.\u003c/p\u003e\n\n\u003cp\u003eSelector must match exactly one link, otherwise an error is returned.\nIf multiple selectors match the same link, the first one is used.\u003c/p\u003e\n"
+          "description": "Selector to match the link to alias.\n\nWhen the alias name is a fixed string, the selector must match exactly one link.\nWhen the alias name contains a format verb (e.g. net%d), the selector may match multiple links\nand each match receives a sequential alias.\nIf multiple selectors match the same link, the first one is used.\n",
+          "markdownDescription": "Selector to match the link to alias.\n\nWhen the alias name is a fixed string, the selector must match exactly one link.\nWhen the alias name contains a format verb (e.g. `net%d`), the selector may match multiple links\nand each match receives a sequential alias.\nIf multiple selectors match the same link, the first one is used.",
+          "x-intellij-html-description": "\u003cp\u003eSelector to match the link to alias.\u003c/p\u003e\n\n\u003cp\u003eWhen the alias name is a fixed string, the selector must match exactly one link.\nWhen the alias name contains a format verb (e.g. \u003ccode\u003enet%d\u003c/code\u003e), the selector may match multiple links\nand each match receives a sequential alias.\nIf multiple selectors match the same link, the first one is used.\u003c/p\u003e\n"
         }
       },
       "additionalProperties": false,
Original file line number	Diff line number	Diff line change
`@@ -175,6 +175,7 @@ type NetworkRouteConfig interface {`
`175`	`175`	`type NetworkLinkAliasConfig interface {`
`176`	`176`	`NamedDocument`
`177`	`177`	`LinkSelector() cel.Expression`
	`178`	`+ IsPatternAlias() bool`
`178`	`179`	`}`
`179`	`180`
`180`	`181`	`// NetworkDHCPConfig defines a DHCP configuration for a network link.`