vtalosconfigtemplate admission webhook unconditionally rejects any Spec change, including the dry-run SSA the CAPI topology controller performs to detect template changes. As a result, ClusterClass variable changes that mutate a worker TalosConfigTemplate (e.g. talosVersion / talosImage bumps) cannot propagate, and worker MachineDeployments stay on the old Talos version indefinitely.
Discovered while testing siderolabs/cluster-api-control-plane-provider-talos#251. Control plane upgrade works fine; only workers are blocked.
Steps to reproduce
ClusterClass referencing a TalosConfigTemplate as default-worker.Cluster with spec.topology.variables including talosVersion and talosImage, used in patches that mutate the worker bootstrap template.- After cluster is healthy, bump
talosVersion (e.g. v1.12 → v1.13) and talosImage and re-apply.
- Observe
Cluster.status.conditions[type=TopologyReconciled].
Observed
TopologyReconciled: error reconciling the Cluster topology: failed to reconcile
MachineDeployment atlas/atlas-worker: failed to create patch helper for
TalosConfigTemplate atlas/atlas-worker-6jrnk: server side apply dry-run failed
for modified object: admission webhook "vtalosconfigtemplate.cluster.x-k8s.io"
denied the request: TalosConfigTemplate.Spec is immutable
Worker MachineDeployment stays on the old Talos version. Control plane rolls out normally (managed by CACPPT, doesn't go through this webhook).
Root cause
api/v1beta1/talosconfigtemplate_webhook.go rejects any Spec change with no bypass for req.DryRun + topology.cluster.x-k8s.io/dry-run. This violates the CAPI TopologyDryRunAnnotation contract, so the topology controller's dry-run SSA fails before it can compute HasSpecChanges and trigger template rotation.
Suggested fix
Skip the immutability check when the admission request is a topology dry-run, using topology.ShouldSkipImmutabilityChecks from sigs.k8s.io/cluster-api/util/topology. This preserves immutability for direct user edits while letting CAPI topology compute spec changes and trigger template rotation. Same change applies to api/v1beta1/talosconfig_webhook.go.
Environment
vtalosconfigtemplateadmission webhook unconditionally rejects anySpecchange, including the dry-run SSA the CAPI topology controller performs to detect template changes. As a result,ClusterClassvariable changes that mutate a workerTalosConfigTemplate(e.g.talosVersion/talosImagebumps) cannot propagate, and workerMachineDeployments stay on the old Talos version indefinitely.Discovered while testing siderolabs/cluster-api-control-plane-provider-talos#251. Control plane upgrade works fine; only workers are blocked.
Steps to reproduce
ClusterClassreferencing aTalosConfigTemplateasdefault-worker.Clusterwithspec.topology.variablesincludingtalosVersionandtalosImage, used in patches that mutate the worker bootstrap template.talosVersion(e.g.v1.12→v1.13) andtalosImageand re-apply.Cluster.status.conditions[type=TopologyReconciled].Observed
Worker
MachineDeploymentstays on the old Talos version. Control plane rolls out normally (managed by CACPPT, doesn't go through this webhook).Root cause
api/v1beta1/talosconfigtemplate_webhook.gorejects anySpecchange with no bypass forreq.DryRun+topology.cluster.x-k8s.io/dry-run. This violates the CAPITopologyDryRunAnnotationcontract, so the topology controller's dry-run SSA fails before it can computeHasSpecChangesand trigger template rotation.Suggested fix
Skip the immutability check when the admission request is a topology dry-run, using
topology.ShouldSkipImmutabilityChecksfromsigs.k8s.io/cluster-api/util/topology. This preserves immutability for direct user edits while letting CAPI topology compute spec changes and trigger template rotation. Same change applies toapi/v1beta1/talosconfig_webhook.go.Environment