fix(hetzner): autoscaler blocked by 64-char schematic label and unexpanded ~ in kubeconfig path

[devantler]

Bug 1: Hetzner label value exceeds 63-char limit when using Talos schematic SHA256

Steps to reproduce

Configure ksail.yaml with:

spec:
  cluster:
    distribution: Talos
    provider: Hetzner
    autoscaler:
      node:
        enabled: true
        pools: [...]
    talos:
      version: v1.12.4
      iso: 125127
      extensions:
        - siderolabs/iscsi-tools
        - siderolabs/util-linux-tools
        - siderolabs/qemu-guest-agent

Run ksail cluster update.

Expected

Autoscaler config secret created.

Actual

✗ failed to apply updates: failed to ensure autoscaler config secret:
  looking up snapshot image for autoscaler secret:
  failed to ensure Talos snapshot:
  failed to look up Talos snapshot:
  invalid label_selector: value contains invalid characters or is malformed

Root cause

pkg/svc/provider/hetzner/snapshot.go:findExistingSnapshot builds:

ksail.io/talos-schematic=e187c9b90f773cd8c84e5a3265c5554ee787b2fe67b508d9f955e90e7ae8c96c

The Talos factory schematic ID is a SHA256 (64 hex chars). Hetzner Cloud limits label values to 63 characters (per hcloud-go validation). The selector is rejected.

Suggested fix

Hash/truncate the schematic ID for the label, e.g. first 16 hex chars, OR encode as two labels (-schematic-prefix, -schematic-suffix), OR hash to base32-no-pad.

---

Bug 2: ~ in kubeconfig path not expanded before EvalCanonicalPath

Steps to reproduce

Run ksail cluster update --config ksail.prod.yaml with no --kubeconfig flag (default path is ~/.kube/config).

Actual

✗ failed to apply updates: failed to ensure autoscaler config secret:
  ensuring hcloud secret for autoscaler:
  canonicalizing kubeconfig path for hcloud secret:
  resolving symlinks for parent: lstat /Users/.../platform/~: no such file or directory

Root cause

pkg/svc/provisioner/cluster/talos/provisioner_hetzner.go calls fsutil.EvalCanonicalPath(p.options.KubeconfigPath) with the raw default ~/.kube/config. filepath.Abs("~/.kube/config") does NOT expand ~ — it produces <cwd>/~/.kube/config. EvalSymlinks then fails on the literal ~ directory.

Workaround

Pass --kubeconfig "$HOME/.kube/config" explicitly.

Suggested fix

Expand ~ (e.g. os.UserHomeDir) before passing to EvalCanonicalPath, either in the option-loading layer or inside EvalCanonicalPath itself.

---

Environment

• ksail version: 7.14.0
• OS: macOS (Darwin)
• Talos: v1.12.4, ISO 125127
• Provider: Hetzner

Impact

Both bugs together prevent ksail cluster update from creating the node autoscaler config secret on Hetzner clusters. Fix would unblock CI/CD for autoscaler-enabled prod clusters.

[github-actions]

🤖 This is an automated response from Repo Assist.

Both root causes look accurate based on the code:

Bug 1 (Hetzner label 63-char limit): pkg/svc/provider/hetzner/snapshot.go builds a label value from the full 64-char SHA256 schematic ID, which exceeds Hetzner Cloud's 63-char label value limit. The first 16–32 hex characters of the SHA256 would uniquely identify the schematic in practice.

Bug 2 (~ not expanded before EvalCanonicalPath): pkg/svc/provisioner/cluster/talos/provisioner_hetzner.go calls fsutil.EvalCanonicalPath(p.options.KubeconfigPath) directly. Since filepath.Abs("~/.kube/config") doesn't expand ~, it produces the wrong path. The fix is to call fsutil.ExpandHomePath (which already exists in pkg/fsutil/path.go) before EvalCanonicalPath.

PR #4647 appears to address both issues — looks like the right fix direction. 👍

Generated by 🤖 Repo Assist, see workflow run.