fix: add hostname to endpoints

smira · smira · commit 96e604874b17 · 2026-01-15T22:56:46.000+04:00
Populate endpoint coming from the Kubernetes controlplane endpoint with the hostname (if the endpoint is a hostname). This should improve cases when hostname is used for the endpoint in terms of SNI, proper resolving of DNS if it's dynamic. See #12556 (comment) Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
diff --git a/api/resource/definitions/k8s/k8s.proto b/api/resource/definitions/k8s/k8s.proto
@@ -93,9 +93,10 @@ message ControllerManagerConfigSpec {
   Resources resources = 9;
 }
 
-// EndpointSpec describes status of rendered secrets.
+// EndpointSpec describes a list of endpoints to connect to.
 message EndpointSpec {
   repeated common.NetIP addresses = 1;
+  repeated string hosts = 2;
 }
 
 // ExtraManifest defines a single extra manifest to download.
diff --git a/internal/app/machined/pkg/controllers/k8s/static_endpoint.go b/internal/app/machined/pkg/controllers/k8s/static_endpoint.go
@@ -75,6 +75,7 @@ func (ctrl *StaticEndpointController) Run(ctx context.Context, r controller.Runt
 			var (
 				resolver net.Resolver
 				addrs    []netip.Addr
+				hosts    []string
 			)
 
 			addrs, err = resolver.LookupNetIP(ctx, "ip", cpHostname)
@@ -84,8 +85,13 @@ func (ctrl *StaticEndpointController) Run(ctx context.Context, r controller.Runt
 
 			addrs = xslices.Map(addrs, netip.Addr.Unmap)
 
+			if len(addrs) != 1 || addrs[0].String() != cpHostname {
+				hosts = []string{cpHostname}
+			}
+
 			if err = safe.WriterModify(ctx, r, k8s.NewEndpoint(k8s.ControlPlaneNamespaceName, k8s.ControlPlaneKubernetesEndpointsID), func(endpoint *k8s.Endpoint) error {
 				endpoint.TypedSpec().Addresses = addrs
+				endpoint.TypedSpec().Hosts = hosts
 
 				return nil
 			}); err != nil {
diff --git a/internal/app/machined/pkg/controllers/k8s/static_endpoint_test.go b/internal/app/machined/pkg/controllers/k8s/static_endpoint_test.go
@@ -51,13 +51,44 @@ func (suite *StaticEndpointControllerSuite) TestReconcile() {
 	rtestutils.AssertResources(suite.Ctx(), suite.T(), suite.State(), []resource.ID{k8s.ControlPlaneKubernetesEndpointsID},
 		func(endpoint *k8s.Endpoint, assert *assert.Assertions) {
 			assert.Equal([]netip.Addr{netip.MustParseAddr("2001:db8::1")}, endpoint.TypedSpec().Addresses)
+			assert.Empty(endpoint.TypedSpec().Hosts)
 		})
 
 	suite.Require().NoError(suite.State().Destroy(suite.Ctx(), cfg.Metadata()))
 
 	rtestutils.AssertNoResource[*k8s.Endpoint](suite.Ctx(), suite.T(), suite.State(), k8s.ControlPlaneKubernetesEndpointsID)
 }
 
+func (suite *StaticEndpointControllerSuite) TestReconcileHostname() {
+	u, err := url.Parse("https://localhost:6443/")
+	suite.Require().NoError(err)
+
+	cfg := config.NewMachineConfig(
+		container.NewV1Alpha1(
+			&v1alpha1.Config{
+				ConfigVersion: "v1alpha1",
+				MachineConfig: &v1alpha1.MachineConfig{},
+				ClusterConfig: &v1alpha1.ClusterConfig{
+					ControlPlane: &v1alpha1.ControlPlaneConfig{
+						Endpoint: &v1alpha1.Endpoint{
+							URL: u,
+						},
+					},
+				},
+			},
+		),
+	)
+
+	suite.Require().NoError(suite.State().Create(suite.Ctx(), cfg))
+
+	rtestutils.AssertResources(suite.Ctx(), suite.T(), suite.State(), []resource.ID{k8s.ControlPlaneKubernetesEndpointsID},
+		func(endpoint *k8s.Endpoint, assert *assert.Assertions) {
+			// localhost might resolve to ::1 as well, check only for 127.0.0.1
+			assert.Contains(endpoint.TypedSpec().Addresses, netip.MustParseAddr("127.0.0.1"))
+			assert.Equal([]string{"localhost"}, endpoint.TypedSpec().Hosts)
+		})
+}
+
 func TestStaticEndpointControllerSuite(t *testing.T) {
 	t.Parallel()
 
diff --git a/internal/app/machined/pkg/controllers/kubeaccess/endpoint.go b/internal/app/machined/pkg/controllers/kubeaccess/endpoint.go
@@ -108,7 +108,7 @@ func (ctrl *EndpointController) Run(ctx context.Context, r controller.Runtime, l
 			endpointAddrs = endpointAddrs.Merge(endpointResource)
 		}
 
-		if len(endpointAddrs) == 0 {
+		if endpointAddrs.IsEmpty() {
 			continue
 		}
 
@@ -212,20 +212,20 @@ func (ctrl *EndpointController) ensureTalosEndpointSlices(ctx context.Context, l
 		addrsIPv6 k8s.EndpointList
 	)
 
-	for _, addr := range endpointAddrs {
+	for _, addr := range endpointAddrs.Addresses {
 		switch {
 		case addr.Is4():
-			addrsIPv4 = append(addrsIPv4, addr)
+			addrsIPv4.Addresses = append(addrsIPv4.Addresses, addr)
 
 		case addr.Is6():
-			addrsIPv6 = append(addrsIPv6, addr)
+			addrsIPv6.Addresses = append(addrsIPv6.Addresses, addr)
 
 		default:
 			// ignore other address types
 		}
 	}
 
-	if len(addrsIPv4) == 0 {
+	if len(addrsIPv4.Addresses) == 0 {
 		if err := ctrl.deleteTalosEndpointSlicesTyped(ctx, logger, client, discoveryv1.AddressTypeIPv4); err != nil {
 			return fmt.Errorf("error deleting Talos API endpoint slices for IPv4: %w", err)
 		}
@@ -235,7 +235,7 @@ func (ctrl *EndpointController) ensureTalosEndpointSlices(ctx context.Context, l
 		}
 	}
 
-	if len(addrsIPv6) == 0 {
+	if len(addrsIPv6.Addresses) == 0 {
 		if err := ctrl.deleteTalosEndpointSlicesTyped(ctx, logger, client, discoveryv1.AddressTypeIPv6); err != nil {
 			return fmt.Errorf("error deleting Talos API endpoint slices for IPv6: %w", err)
 		}
@@ -306,7 +306,7 @@ func (ctrl *EndpointController) ensureTalosEndpointSlicesTyped(
 			},
 		}
 
-		for _, addr := range endpointAddrs {
+		for _, addr := range endpointAddrs.Addresses {
 			newEndpointSlice.Endpoints = append(
 				newEndpointSlice.Endpoints,
 				discoveryv1.Endpoint{
diff --git a/internal/app/machined/pkg/controllers/secrets/api.go b/internal/app/machined/pkg/controllers/secrets/api.go
@@ -257,7 +257,7 @@ func (ctrl *APIController) reconcile(ctx context.Context, r controller.Runtime,
 				endpointAddrs = endpointAddrs.Merge(res.(*k8s.Endpoint))
 			}
 
-			if len(endpointAddrs) == 0 {
+			if endpointAddrs.IsEmpty() {
 				continue
 			}
 
diff --git a/internal/pkg/etcd/endpoints.go b/internal/pkg/etcd/endpoints.go
@@ -33,7 +33,7 @@ func GetEndpoints(ctx context.Context, resources state.State) ([]string, error)
 		endpointAddrs = endpointAddrs.Merge(res)
 	}
 
-	if len(endpointAddrs) == 0 {
+	if endpointAddrs.IsEmpty() {
 		return nil, errors.New("no controlplane endpoints discovered yet")
 	}
 
diff --git a/pkg/machinery/api/resource/definitions/k8s/k8s.pb.go b/pkg/machinery/api/resource/definitions/k8s/k8s.pb.go
diff --git a/pkg/machinery/api/resource/definitions/k8s/k8s_vtproto.pb.go b/pkg/machinery/api/resource/definitions/k8s/k8s_vtproto.pb.go
diff --git a/pkg/machinery/resources/k8s/deep_copy.generated.go b/pkg/machinery/resources/k8s/deep_copy.generated.go
diff --git a/pkg/machinery/resources/k8s/endpoint.go b/pkg/machinery/resources/k8s/endpoint.go
@@ -32,11 +32,12 @@ const ControlPlaneKubernetesEndpointsID = resource.ID("controlplane")
 // Endpoint resource holds definition of rendered secrets.
 type Endpoint = typed.Resource[EndpointSpec, EndpointExtension]
 
-// EndpointSpec describes status of rendered secrets.
+// EndpointSpec describes a list of endpoints to connect to.
 //
 //gotagsrewrite:gen
 type EndpointSpec struct {
 	Addresses []netip.Addr `yaml:"addresses" protobuf:"1"`
+	Hosts     []string     `yaml:"hosts" protobuf:"2"`
 }
 
 // NewEndpoint initializes the Endpoint resource.
@@ -61,32 +62,56 @@ func (EndpointExtension) ResourceDefinition() meta.ResourceDefinitionSpec {
 				Name:     "Addresses",
 				JSONPath: "{.addresses}",
 			},
+			{
+				Name:     "Hosts",
+				JSONPath: "{.hosts}",
+			},
 		},
 	}
 }
 
 // EndpointList is a flattened list of endpoints.
-type EndpointList []netip.Addr
+type EndpointList struct {
+	Addresses []netip.Addr
+	Hosts     []string
+}
 
 // Merge endpoints from multiple Endpoint resources into a single list.
 func (l EndpointList) Merge(endpoint *Endpoint) EndpointList {
 	for _, ip := range endpoint.TypedSpec().Addresses {
-		idx, _ := slices.BinarySearchFunc(l, ip, func(a netip.Addr, target netip.Addr) int {
+		idx, _ := slices.BinarySearchFunc(l.Addresses, ip, func(a netip.Addr, target netip.Addr) int {
 			return a.Compare(target)
 		})
-		if idx < len(l) && l[idx].Compare(ip) == 0 {
+		if idx < len(l.Addresses) && l.Addresses[idx].Compare(ip) == 0 {
 			continue
 		}
 
-		l = slices.Insert(l, idx, ip)
+		l.Addresses = slices.Insert(l.Addresses, idx, ip)
+	}
+
+	for _, host := range endpoint.TypedSpec().Hosts {
+		idx, _ := slices.BinarySearch(l.Hosts, host)
+		if idx < len(l.Hosts) && l.Hosts[idx] == host {
+			continue
+		}
+
+		l.Hosts = slices.Insert(l.Hosts, idx, host)
 	}
 
 	return l
 }
 
+// IsEmpty checks if the EndpointList is empty.
+func (l EndpointList) IsEmpty() bool {
+	return len(l.Addresses) == 0 && len(l.Hosts) == 0
+}
+
 // Strings returns a slice of formatted endpoints to string.
 func (l EndpointList) Strings() []string {
-	return xslices.Map(l, netip.Addr.String)
+	return slices.Concat(
+		xslices.Map(l.Addresses, netip.Addr.String),
+		l.Hosts,
+	)
 }
 
 func init() {
diff --git a/pkg/machinery/resources/k8s/endpoint_test.go b/pkg/machinery/resources/k8s/endpoint_test.go
@@ -35,3 +35,43 @@ func TestEndpointList(t *testing.T) {
 
 	assert.Equal(t, []string{"172.20.0.2", "172.20.0.3", "172.20.0.4"}, l.Strings())
 }
+
+func TestEndpointListWithHosts(t *testing.T) {
+	t.Parallel()
+
+	var l k8s.EndpointList
+
+	assert.True(t, l.IsEmpty())
+
+	e1 := k8s.NewEndpoint(k8s.ControlPlaneNamespaceName, "1")
+	e1.TypedSpec().Addresses = []netip.Addr{
+		netip.MustParseAddr("172.20.0.2"),
+	}
+	e1.TypedSpec().Hosts = []string{
+		"host1.example.com",
+		"host2.example.com",
+	}
+
+	e2 := k8s.NewEndpoint(k8s.ControlPlaneNamespaceName, "2")
+	e2.TypedSpec().Addresses = []netip.Addr{
+		netip.MustParseAddr("172.20.0.3"),
+	}
+	e2.TypedSpec().Hosts = []string{
+		"host2.example.com",
+		"host3.example.com",
+	}
+
+	l = l.Merge(e1)
+	l = l.Merge(e2)
+
+	assert.Equal(t,
+		[]string{
+			"172.20.0.2",
+			"172.20.0.3",
+			"host1.example.com",
+			"host2.example.com",
+			"host3.example.com",
+		},
+		l.Strings(),
+	)
+}
diff --git a/website/content/v1.13/reference/api.md b/website/content/v1.13/reference/api.md

Original file line number	Diff line number	Diff line change
`@@ -93,9 +93,10 @@ message ControllerManagerConfigSpec {`
`93`	`93`	`Resources resources = 9;`
`94`	`94`	`}`
`95`	`95`
`96`		`-// EndpointSpec describes status of rendered secrets.`
	`96`	`+// EndpointSpec describes a list of endpoints to connect to.`
`97`	`97`	`message EndpointSpec {`
`98`	`98`	`repeated common.NetIP addresses = 1;`
	`99`	`+ repeated string hosts = 2;`
`99`	`100`	`}`
`100`	`101`
`101`	`102`	`// ExtraManifest defines a single extra manifest to download.`
Original file line number	Diff line number	Diff line change
`@@ -108,7 +108,7 @@ func (ctrl *EndpointController) Run(ctx context.Context, r controller.Runtime, l`
`108`	`108`	`endpointAddrs = endpointAddrs.Merge(endpointResource)`
`109`	`109`	`}`
`110`	`110`
`111`		`- if len(endpointAddrs) == 0 {`
	`111`	`+ if endpointAddrs.IsEmpty() {`
`112`	`112`	`continue`
`113`	`113`	`}`
`114`	`114`
`@@ -212,20 +212,20 @@ func (ctrl *EndpointController) ensureTalosEndpointSlices(ctx context.Context, l`
`212`	`212`	`addrsIPv6 k8s.EndpointList`
`213`	`213`	`)`
`214`	`214`
`215`		`- for _, addr := range endpointAddrs {`
	`215`	`+ for _, addr := range endpointAddrs.Addresses {`
`216`	`216`	`switch {`
`217`	`217`	`case addr.Is4():`
`218`		`- addrsIPv4 = append(addrsIPv4, addr)`
	`218`	`+ addrsIPv4.Addresses = append(addrsIPv4.Addresses, addr)`
`219`	`219`
`220`	`220`	`case addr.Is6():`
`221`		`- addrsIPv6 = append(addrsIPv6, addr)`
	`221`	`+ addrsIPv6.Addresses = append(addrsIPv6.Addresses, addr)`
`222`	`222`
`223`	`223`	`default:`
`224`	`224`	`// ignore other address types`
`225`	`225`	`}`
`226`	`226`	`}`
`227`	`227`
`228`		`- if len(addrsIPv4) == 0 {`
	`228`	`+ if len(addrsIPv4.Addresses) == 0 {`
`229`	`229`	`if err := ctrl.deleteTalosEndpointSlicesTyped(ctx, logger, client, discoveryv1.AddressTypeIPv4); err != nil {`
`230`	`230`	`return fmt.Errorf("error deleting Talos API endpoint slices for IPv4: %w", err)`
`231`	`231`	`}`
`@@ -235,7 +235,7 @@ func (ctrl *EndpointController) ensureTalosEndpointSlices(ctx context.Context, l`
`235`	`235`	`}`
`236`	`236`	`}`
`237`	`237`
`238`		`- if len(addrsIPv6) == 0 {`
	`238`	`+ if len(addrsIPv6.Addresses) == 0 {`
`239`	`239`	`if err := ctrl.deleteTalosEndpointSlicesTyped(ctx, logger, client, discoveryv1.AddressTypeIPv6); err != nil {`
`240`	`240`	`return fmt.Errorf("error deleting Talos API endpoint slices for IPv6: %w", err)`
`241`	`241`	`}`
`@@ -306,7 +306,7 @@ func (ctrl *EndpointController) ensureTalosEndpointSlicesTyped(`
`306`	`306`	`},`
`307`	`307`	`}`
`308`	`308`
`309`		`- for _, addr := range endpointAddrs {`
	`309`	`+ for _, addr := range endpointAddrs.Addresses {`
`310`	`310`	`newEndpointSlice.Endpoints = append(`
`311`	`311`	`newEndpointSlice.Endpoints,`
`312`	`312`	`discoveryv1.Endpoint{`
Original file line number	Diff line number	Diff line change
`@@ -257,7 +257,7 @@ func (ctrl *APIController) reconcile(ctx context.Context, r controller.Runtime,`
`257`	`257`	`endpointAddrs = endpointAddrs.Merge(res.(*k8s.Endpoint))`
`258`	`258`	`}`
`259`	`259`
`260`		`- if len(endpointAddrs) == 0 {`
	`260`	`+ if endpointAddrs.IsEmpty() {`
`261`	`261`	`continue`
`262`	`262`	`}`
`263`	`263`
Original file line number	Diff line number	Diff line change
`@@ -33,7 +33,7 @@ func GetEndpoints(ctx context.Context, resources state.State) ([]string, error)`
`33`	`33`	`endpointAddrs = endpointAddrs.Merge(res)`
`34`	`34`	`}`
`35`	`35`
`36`		`- if len(endpointAddrs) == 0 {`
	`36`	`+ if endpointAddrs.IsEmpty() {`
`37`	`37`	`return nil, errors.New("no controlplane endpoints discovered yet")`
`38`	`38`	`}`
`39`	`39`