fix: overwrite resolver config with machine config

smira · smira · commit c7aa266ea5c9 · 2026-01-21T16:14:36.000+04:00
Fixes #12614 Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
diff --git a/hack/release.toml b/hack/release.toml
@@ -139,8 +139,8 @@ BREAKING: If you were relying on the resources EtcdConfigs, KubeletConfigs, Cont
 """
 
     [notes.serviceAccountIssuer]
-    title = "Service Account Issuer configuration"
-    description = """\
+        title = "Service Account Issuer configuration"
+        description = """\
 In API Server, passing extra args with `service-account-issuer` will append them after default value.
 This allows easy migration, e.g. by changing `.cluster.controlPlane.endpoint` to new value, and keeping the old value in
 `.cluster.apiServer.extraArgs["service-account-issuer"]`.
@@ -155,6 +155,13 @@ For example:
     * a max size of "-25%" means the volume can grow to the available space minus 25%.
 """
 
+    [notes.resolver_config]
+        title = "ResolverConfig"
+        description = """\
+The nameservers configuration in machine configuration now overwrites any previous layers (defaults, platform, etc.) when specified.
+Previously a smart merge was performed to keep IPv4/IPv6 nameservers from lower layers if the machine configuration specified only one type.
+"""
+
 [make_deps]
 
     [make_deps.tools]
diff --git a/internal/app/machined/pkg/controllers/network/resolver_merge.go b/internal/app/machined/pkg/controllers/network/resolver_merge.go
@@ -40,14 +40,19 @@ func NewResolverMergeController() controller.Controller {
 
 				final.SearchDomains = slices.Insert(final.SearchDomains, 0, spec.SearchDomains...)
 
-				if spec.ConfigLayer == final.ConfigLayer {
+				switch spec.ConfigLayer { //nolint:exhaustive
+				case final.ConfigLayer:
 					// simply append server lists on the same layer
 					final.DNSServers = append(final.DNSServers, spec.DNSServers...)
-				} else {
+				case network.ConfigMachineConfiguration:
+					// machine configuration layer overrides any previous layers completely
+					final.DNSServers = slices.Clone(spec.DNSServers)
+				default:
 					// otherwise, do a smart merge across IPv4/IPv6
-					final.ConfigLayer = spec.ConfigLayer
 					mergeDNSServers(&final.DNSServers, spec.DNSServers)
 				}
+
+				final.ConfigLayer = spec.ConfigLayer
 			}
 
 			if final.DNSServers != nil {
@@ -63,7 +68,7 @@ func NewResolverMergeController() controller.Controller {
 
 func mergeDNSServers(dst *[]netip.Addr, src []netip.Addr) {
 	if *dst == nil {
-		*dst = src
+		*dst = slices.Clone(src)
 
 		return
 	}
@@ -81,6 +86,6 @@ func mergeDNSServers(dst *[]netip.Addr, src []netip.Addr) {
 	case dstHasV6 && !srcHasV6:
 		*dst = slices.Concat(src, xslices.Filter(*dst, netip.Addr.Is6))
 	default:
-		*dst = src
+		*dst = slices.Clone(src)
 	}
 }
diff --git a/internal/app/machined/pkg/controllers/network/resolver_merge_test.go b/internal/app/machined/pkg/controllers/network/resolver_merge_test.go
@@ -117,6 +117,36 @@ func (suite *ResolverMergeSuite) TestMergeIPv46() {
 	)
 }
 
+func (suite *ResolverMergeSuite) TestMergeIPv6OnlyConfig() {
+	def := network.NewResolverSpec(network.ConfigNamespaceName, "default/resolvers")
+	*def.TypedSpec() = network.ResolverSpecSpec{
+		DNSServers: []netip.Addr{
+			netip.MustParseAddr(constants.DefaultPrimaryResolver),
+			netip.MustParseAddr(constants.DefaultSecondaryResolver),
+		},
+		ConfigLayer: network.ConfigDefault,
+	}
+
+	cfg := network.NewResolverSpec(network.ConfigNamespaceName, "cfg/resolvers")
+	*cfg.TypedSpec() = network.ResolverSpecSpec{
+		DNSServers:  []netip.Addr{netip.MustParseAddr("fe80::1")},
+		ConfigLayer: network.ConfigMachineConfiguration,
+	}
+
+	for _, res := range []resource.Resource{def, cfg} {
+		suite.Create(res)
+	}
+
+	suite.assertResolvers(
+		[]string{
+			"resolvers",
+		}, func(r *network.ResolverSpec, asrt *assert.Assertions) {
+			asrt.Equal(network.ConfigMachineConfiguration, r.TypedSpec().ConfigLayer)
+			asrt.Equal(`["fe80::1"]`, fmt.Sprintf("%q", r.TypedSpec().DNSServers))
+		},
+	)
+}
+
 func TestResolverMergeSuite(t *testing.T) {
 	t.Parallel()
 
