fix: bind events source to the siderolink address

Also:
- bring down APID if the certs are not ready, and the machine is
  configured.
- fix reboot status requeue interval.
- cleanup the old static pods when the hostname changes.
- use machine uuid in the controllers (instead of `machine-N`),

Signed-off-by: Artem Chernyshev <[email protected]>

go.mod

@@ -8,13 +8,13 @@ replace (
 	gopkg.in/yaml.v3 => github.com/unix4ever/yaml v0.0.0-20220527175918-f17b0f05cf2c
 
 	// all these rewrites are here to import k8s.io/kubernetes module
-	k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.30.2
-	k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.30.2
-	k8s.io/dynamic-resource-allocation => k8s.io/dynamic-resource-allocation v0.30.2
-	k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.30.2
-	k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.30.2
-	k8s.io/mount-utils => k8s.io/mount-utils v0.30.2
-	k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.30.2
+	k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.30.3
+	k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.30.3
+	k8s.io/dynamic-resource-allocation => k8s.io/dynamic-resource-allocation v0.30.3
+	k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.30.3
+	k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.30.3
+	k8s.io/mount-utils => k8s.io/mount-utils v0.30.3
+	k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.30.3
 )
 
 require (
@@ -62,10 +62,11 @@ require (
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6
 	google.golang.org/grpc v1.65.0
 	google.golang.org/protobuf v1.34.2
-	k8s.io/api v0.30.2
-	k8s.io/apimachinery v0.30.2
-	k8s.io/client-go v0.30.2
-	k8s.io/kubernetes v1.30.2
+	k8s.io/api v0.30.3
+	k8s.io/apimachinery v0.30.3
+	k8s.io/apiserver v0.30.3
+	k8s.io/client-go v0.30.3
+	k8s.io/kubernetes v1.30.3
 )
 
 require (
@@ -189,19 +190,18 @@ require (
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/apiextensions-apiserver v0.30.2 // indirect
-	k8s.io/apiserver v0.30.2 // indirect
-	k8s.io/cloud-provider v0.30.2 // indirect
+	k8s.io/apiextensions-apiserver v0.30.3 // indirect
+	k8s.io/cloud-provider v0.30.3 // indirect
 	k8s.io/cluster-bootstrap v0.0.0 // indirect
-	k8s.io/component-base v0.30.2 // indirect
-	k8s.io/component-helpers v0.30.2 // indirect
-	k8s.io/controller-manager v0.30.2 // indirect
+	k8s.io/component-base v0.30.3 // indirect
+	k8s.io/component-helpers v0.30.3 // indirect
+	k8s.io/controller-manager v0.30.3 // indirect
 	k8s.io/dynamic-resource-allocation v0.0.0 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
-	k8s.io/kms v0.30.2 // indirect
+	k8s.io/kms v0.30.3 // indirect
 	k8s.io/kube-aggregator v0.0.0 // indirect
 	k8s.io/kube-openapi v0.0.0-20240709000822-3c01b740850f // indirect
-	k8s.io/kubelet v0.30.2 // indirect
+	k8s.io/kubelet v0.30.3 // indirect
 	k8s.io/legacy-cloud-providers v0.0.0 // indirect
 	k8s.io/mount-utils v0.0.0 // indirect
 	k8s.io/pod-security-admission v0.0.0 // indirect

go.sum

@@ -968,49 +968,49 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-k8s.io/api v0.30.2 h1:+ZhRj+28QT4UOH+BKznu4CBgPWgkXO7XAvMcMl0qKvI=
-k8s.io/api v0.30.2/go.mod h1:ULg5g9JvOev2dG0u2hig4Z7tQ2hHIuS+m8MNZ+X6EmI=
-k8s.io/apiextensions-apiserver v0.30.2 h1:l7Eue2t6QiLHErfn2vwK4KgF4NeDgjQkCXtEbOocKIE=
-k8s.io/apiextensions-apiserver v0.30.2/go.mod h1:lsJFLYyK40iguuinsb3nt+Sj6CmodSI4ACDLep1rgjw=
-k8s.io/apimachinery v0.30.2 h1:fEMcnBj6qkzzPGSVsAZtQThU62SmQ4ZymlXRC5yFSCg=
-k8s.io/apimachinery v0.30.2/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc=
-k8s.io/apiserver v0.30.2 h1:ACouHiYl1yFI2VFI3YGM+lvxgy6ir4yK2oLOsLI1/tw=
-k8s.io/apiserver v0.30.2/go.mod h1:BOTdFBIch9Sv0ypSEcUR6ew/NUFGocRFNl72Ra7wTm8=
-k8s.io/client-go v0.30.2 h1:sBIVJdojUNPDU/jObC+18tXWcTJVcwyqS9diGdWHk50=
-k8s.io/client-go v0.30.2/go.mod h1:JglKSWULm9xlJLx4KCkfLLQ7XwtlbflV6uFFSHTMgVs=
-k8s.io/cloud-provider v0.30.2 h1:yov6r02v7sMUNNvzEz51LtL2krn2c1wsC+dy/8BxKQI=
-k8s.io/cloud-provider v0.30.2/go.mod h1:w69t2dSjDtI9BYK6SEqj6HmMKIojEk08fXRoUzjFN2I=
-k8s.io/cluster-bootstrap v0.30.2 h1:9PQ5phjWTxmPFKPEzTG6QJzPaUIfuW2RqcHDME5gqPg=
-k8s.io/cluster-bootstrap v0.30.2/go.mod h1:dvzAgNVmwRfZ0BzHI/WTvzqlzmNH7w21mdnahEq61KY=
-k8s.io/component-base v0.30.2 h1:pqGBczYoW1sno8q9ObExUqrYSKhtE5rW3y6gX88GZII=
-k8s.io/component-base v0.30.2/go.mod h1:yQLkQDrkK8J6NtP+MGJOws+/PPeEXNpwFixsUI7h/OE=
-k8s.io/component-helpers v0.30.2 h1:kDMYLiWEYeWU7H6jBI+Ua1i2hqNh0DzqDHNIppFC3po=
-k8s.io/component-helpers v0.30.2/go.mod h1:tI0anfS6AbRqooaICkGg7UVAQLedOauVSQW9srDBnJw=
-k8s.io/controller-manager v0.30.2 h1:tC7V7IdGUW2I4de3bXx4m2fS3naP7VlCYlECCajK9fU=
-k8s.io/controller-manager v0.30.2/go.mod h1:CYltIHGhCgldEkXT5vS2JHCCWM1WyBI4kA2UfP9cZvY=
-k8s.io/csi-translation-lib v0.30.2 h1:ZcFVMWDHg7feW3mtdl+xClgmw1Yxv7m9ysOKt8h3K8Y=
-k8s.io/csi-translation-lib v0.30.2/go.mod h1:jFT8vquP6eSDUwDHk0mKT6uKFWlZp60ecUEUhmlGsOY=
-k8s.io/dynamic-resource-allocation v0.30.2 h1:wEhjNbVPymPEY5Db4UXPiQkioHV/4MHDzAkf+1TLaNM=
-k8s.io/dynamic-resource-allocation v0.30.2/go.mod h1:J5gKMh7FcGcWziX6ugeNfyFM8j1mvxBgYWrLfRDZ38k=
+k8s.io/api v0.30.3 h1:ImHwK9DCsPA9uoU3rVh4QHAHHK5dTSv1nxJUapx8hoQ=
+k8s.io/api v0.30.3/go.mod h1:GPc8jlzoe5JG3pb0KJCSLX5oAFIW3/qNJITlDj8BH04=
+k8s.io/apiextensions-apiserver v0.30.3 h1:oChu5li2vsZHx2IvnGP3ah8Nj3KyqG3kRSaKmijhB9U=
+k8s.io/apiextensions-apiserver v0.30.3/go.mod h1:uhXxYDkMAvl6CJw4lrDN4CPbONkF3+XL9cacCT44kV4=
+k8s.io/apimachinery v0.30.3 h1:q1laaWCmrszyQuSQCfNB8cFgCuDAoPszKY4ucAjDwHc=
+k8s.io/apimachinery v0.30.3/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc=
+k8s.io/apiserver v0.30.3 h1:QZJndA9k2MjFqpnyYv/PH+9PE0SHhx3hBho4X0vE65g=
+k8s.io/apiserver v0.30.3/go.mod h1:6Oa88y1CZqnzetd2JdepO0UXzQX4ZnOekx2/PtEjrOg=
+k8s.io/client-go v0.30.3 h1:bHrJu3xQZNXIi8/MoxYtZBBWQQXwy16zqJwloXXfD3k=
+k8s.io/client-go v0.30.3/go.mod h1:8d4pf8vYu665/kUbsxWAQ/JDBNWqfFeZnvFiVdmx89U=
+k8s.io/cloud-provider v0.30.3 h1:SNWZmllTymOTzIPJuhtZH6il/qVi75dQARRQAm9k6VY=
+k8s.io/cloud-provider v0.30.3/go.mod h1:Ax0AVdHnM7tMYnJH1Ycy4SMBD98+4zA+tboUR9eYsY8=
+k8s.io/cluster-bootstrap v0.30.3 h1:MgxyxMkpaC6mu0BKWJ8985XCOnKU+eH3Iy+biwtDXRk=
+k8s.io/cluster-bootstrap v0.30.3/go.mod h1:h8BoLDfdD7XEEIXy7Bx9FcMzxHwz29jsYYi34bM5DKU=
+k8s.io/component-base v0.30.3 h1:Ci0UqKWf4oiwy8hr1+E3dsnliKnkMLZMVbWzeorlk7s=
+k8s.io/component-base v0.30.3/go.mod h1:C1SshT3rGPCuNtBs14RmVD2xW0EhRSeLvBh7AGk1quA=
+k8s.io/component-helpers v0.30.3 h1:KPc8l0eGx9Wg2OcKc58k9ozNcVcOInAi3NGiuS2xJ/c=
+k8s.io/component-helpers v0.30.3/go.mod h1:VOQ7g3q+YbKWwKeACG2BwPv4ftaN8jXYJ5U3xpzuYAE=
+k8s.io/controller-manager v0.30.3 h1:QRFGkWWD5gi/KCSU0qxyUoZRbt+BKgiCUXiTD1RO95w=
+k8s.io/controller-manager v0.30.3/go.mod h1:F95rjHCOH2WwV9XlVxRo71CtddKLhF3FzE+s1lc7E/0=
+k8s.io/csi-translation-lib v0.30.3 h1:wBaPWnOi14/vANRIrp8pmbdx/Pgz2QRcroH7wkodezc=
+k8s.io/csi-translation-lib v0.30.3/go.mod h1:3AizNZbDttVDH1RO0x1yGEQP74e9Xbfb60IBP1oWO1o=
+k8s.io/dynamic-resource-allocation v0.30.3 h1:49aLgEhknKF8gPVhsquJ3ylOnfC8ddxnqVP6y3T+hkM=
+k8s.io/dynamic-resource-allocation v0.30.3/go.mod h1:Dj7OzA3pYT/OfN9PvuYt9CH5e5KcjKBRAik8XeG0nB8=
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kms v0.30.2 h1:VSZILO/tkzrz5Tu2j+yFQZ2Dc5JerQZX2GqhFJbQrfw=
-k8s.io/kms v0.30.2/go.mod h1:GrMurD0qk3G4yNgGcsCEmepqf9KyyIrTXYR2lyUOJC4=
-k8s.io/kube-aggregator v0.30.2 h1:0+yk/ED6foCprY8VmkDPUhngjaAPKsNTXB/UrtvbIz0=
-k8s.io/kube-aggregator v0.30.2/go.mod h1:EhqCfDdxysNWXk1wRL9SEHAdo1DKl6EULQagztkBcXE=
+k8s.io/kms v0.30.3 h1:NLg+oN45S2Y3U0WiLRzbS61AY/XrS5JBMZp531Z+Pho=
+k8s.io/kms v0.30.3/go.mod h1:GrMurD0qk3G4yNgGcsCEmepqf9KyyIrTXYR2lyUOJC4=
+k8s.io/kube-aggregator v0.30.3 h1:hy5zfQ7p6BuJgc/XtGp3GBh2MPfOj6b1n3raKKMHOQE=
+k8s.io/kube-aggregator v0.30.3/go.mod h1:2SP0IckvQoOwwZN8lmtWUnTZTgIpwOWvidWtxyqLwuk=
 k8s.io/kube-openapi v0.0.0-20240709000822-3c01b740850f h1:2sXuKesAYbRHxL3aE2PN6zX/gcJr22cjrsej+W784Tc=
 k8s.io/kube-openapi v0.0.0-20240709000822-3c01b740850f/go.mod h1:UxDHUPsUwTOOxSU+oXURfFBcAS6JwiRXTYqYwfuGowc=
-k8s.io/kubelet v0.30.2 h1:Ck4E/pHndI20IzDXxS57dElhDGASPO5pzXF7BcKfmCY=
-k8s.io/kubelet v0.30.2/go.mod h1:DSwwTbLQmdNkebAU7ypIALR4P9aXZNFwgRmedojUE94=
-k8s.io/kubernetes v1.30.2 h1:11WhS78OYX/lnSy6TXxPO6Hk+E5K9ZNrEsk9JgMSX8I=
-k8s.io/kubernetes v1.30.2/go.mod h1:yPbIk3MhmhGigX62FLJm+CphNtjxqCvAIFQXup6RKS0=
-k8s.io/legacy-cloud-providers v0.30.2 h1:RfMtmbAPvTn7+nkHRWXpGeaif4x7VBOU2SAZ2BdFEdI=
-k8s.io/legacy-cloud-providers v0.30.2/go.mod h1:Y3vTBCDw/A42HIwMBoVMpLv3hP5WewjUj8F6zYrO0Ug=
-k8s.io/mount-utils v0.30.2 h1:2KDVY9hXyDyRw9EO4lmox4+Nn5atVOq+4ffZ/br2aAU=
-k8s.io/mount-utils v0.30.2/go.mod h1:9sCVmwGLcV1MPvbZ+rToMDnl1QcGozy+jBPd0MsQLIo=
-k8s.io/pod-security-admission v0.30.2 h1:UlHnkvvOr+rgQplOqD+SHzLUF8EgKIOCpDU8kaMeTQQ=
-k8s.io/pod-security-admission v0.30.2/go.mod h1:gMUJUG9zOgNBk0VIz5BS7uIYiYPEoXkBSeHh6rG2m8c=
+k8s.io/kubelet v0.30.3 h1:KvGWDdhzD0vEyDyGTCjsDc8D+0+lwRMw3fJbfQgF7ys=
+k8s.io/kubelet v0.30.3/go.mod h1:D9or45Vkzcqg55CEiqZ8dVbwP3Ksj7DruEVRS9oq3Ys=
+k8s.io/kubernetes v1.30.3 h1:A0qoXI1YQNzrQZiff33y5zWxYHFT/HeZRK98/sRDJI0=
+k8s.io/kubernetes v1.30.3/go.mod h1:yPbIk3MhmhGigX62FLJm+CphNtjxqCvAIFQXup6RKS0=
+k8s.io/legacy-cloud-providers v0.30.3 h1:6C50kKmsdKNTsQqfy8V6MTbQKlEkR1oJoeh+WrilM4w=
+k8s.io/legacy-cloud-providers v0.30.3/go.mod h1:VATC0a8MFqrTeVBCSYnMPhMP83bZA7vaMbE7eA8xSa8=
+k8s.io/mount-utils v0.30.3 h1:8Z3wSW5+GSvGNtlDhtoZrBCKLMIf5z/9tf8pie+G06s=
+k8s.io/mount-utils v0.30.3/go.mod h1:9sCVmwGLcV1MPvbZ+rToMDnl1QcGozy+jBPd0MsQLIo=
+k8s.io/pod-security-admission v0.30.3 h1:UDGZWR3ry/XrN/Ki/w7qrp49OwgQsKyh+6xWbexvJi8=
+k8s.io/pod-security-admission v0.30.3/go.mod h1:T1EQSOLl9YyDMnXNJfsq2jeci6uoymY0mrRkkKihd98=
 k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A=
 k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=

hack/compose/docker-compose.yml

@@ -30,10 +30,6 @@ services:
         - DEEPCOPY_VERSION=${DEEPCOPY_VERSION:?error}
         - TESTPKGS=${TESTPKGS:?error}
         - GO_LDFLAGS=${GO_LDFLAGS}
-    environment:
-      - VAULT_ADDR=http://127.0.0.1:8200
-      - VAULT_TOKEN=dev-o-token
-      - SIDEROLINK_DEV_JOIN_TOKEN=w7uVuW3zbVKIYQuzEcyetAHeYMeo5q2L9RvkAVfCfSCD
 
 volumes:
   state:

internal/pkg/machine/controllers/apid.go

@@ -14,6 +14,7 @@ import (
 	"github.com/cosi-project/runtime/pkg/state"
 	"github.com/siderolabs/gen/optional"
 	"github.com/siderolabs/talos/pkg/machinery/constants"
+	"github.com/siderolabs/talos/pkg/machinery/resources/config"
 	"github.com/siderolabs/talos/pkg/machinery/resources/network"
 	"github.com/siderolabs/talos/pkg/machinery/resources/secrets"
 	"github.com/siderolabs/talos/pkg/machinery/resources/v1alpha1"
@@ -50,6 +51,12 @@ func (ctrl *APIDController) Inputs() []controller.Input {
 			Type:      secrets.APIType,
 			Kind:      controller.InputWeak,
 		},
+		{
+			Namespace: config.NamespaceName,
+			ID:        optional.Some(config.V1Alpha1ID),
+			Type:      config.MachineConfigType,
+			Kind:      controller.InputWeak,
+		},
 		{
 			Namespace: talos.NamespaceName,
 			ID:        optional.Some(talos.RebootID),
@@ -136,11 +143,24 @@ func (ctrl *APIDController) reconcile(ctx context.Context, r controller.Runtime,
 		return err
 	}
 
+	config, err := safe.ReaderGetByID[*config.MachineConfig](ctx, r, config.V1Alpha1ID)
+	if err != nil && !state.IsNotFoundError(err) {
+		return err
+	}
+
 	insecure := (apiCerts == nil)
 
 	running = true
 	healthy = true
 
+	if insecure && config != nil {
+		logger.Info("the machine is configured but the certs are not ready yet")
+
+		ctrl.address = netip.Prefix{}
+
+		return ctrl.APID.Stop()
+	}
+
 	if ctrl.address == address && ctrl.insecure == insecure {
 		return nil
 	}

internal/pkg/machine/controllers/reboot_status.go

@@ -33,7 +33,7 @@ func NewRebootStatusController() *RebootStatusController {
 			TransformFunc: func(_ context.Context, _ controller.Reader, _ *zap.Logger, reboot *talos.Reboot, _ *talos.RebootStatus) error {
 				rebootEndTime := reboot.Metadata().Updated().Add(reboot.TypedSpec().Value.Downtime.AsDuration())
 				if time.Now().Before(rebootEndTime) {
-					return controller.NewRequeueInterval(time.Since(rebootEndTime))
+					return controller.NewRequeueInterval(time.Until(rebootEndTime))
 				}
 
 				return xerrors.NewTaggedf[qtransform.DestroyOutputTag]("reboot done")

internal/pkg/machine/controllers/static_pods.go

@@ -103,7 +103,7 @@ func (ctrl *StaticPodController) Run(ctx context.Context, r controller.Runtime,
 	}
 }
 
-//nolint:gocognit,cyclop,gocyclo
+//nolint:gocognit,cyclop,gocyclo,maintidx
 func (ctrl *StaticPodController) reconcile(ctx context.Context, r controller.Runtime, logger *zap.Logger) error {
 	ctx, cancel := context.WithTimeout(ctx, time.Second*5)
 	defer cancel()
@@ -294,6 +294,20 @@ func (ctrl *StaticPodController) reconcile(ctx context.Context, r controller.Run
 		}
 
 		logger.Info("created static pod", zap.String("name", pod.Name))
+
+		query := metav1.ListOptions{
+			LabelSelector: fmt.Sprintf("%s!=%s,%s=%s",
+				inputVersionLabel, nodenameVersion,
+				machineIDLabel, ctrl.MachineID,
+			),
+		}
+
+		err = client.CoreV1().Pods(ns).DeleteCollection(ctx, metav1.DeleteOptions{
+			GracePeriodSeconds: pointer.To[int64](0),
+		}, query)
+		if err != nil {
+			return err
+		}
 	}
 
 	return nil

internal/pkg/machine/events/events.go

@@ -9,6 +9,8 @@ import (
 	"context"
 	"fmt"
 	"net"
+	"net/netip"
+	"sync"
 	"time"
 
 	"github.com/cosi-project/runtime/pkg/resource"
@@ -19,6 +21,7 @@ import (
 	"github.com/siderolabs/siderolink/api/events"
 	"github.com/siderolabs/talos/pkg/machinery/api/machine"
 	"github.com/siderolabs/talos/pkg/machinery/constants"
+	"github.com/siderolabs/talos/pkg/machinery/resources/network"
 	"github.com/siderolabs/talos/pkg/machinery/resources/runtime"
 	"github.com/siderolabs/talos/pkg/machinery/resources/v1alpha1"
 	"go.uber.org/zap"
@@ -29,7 +32,7 @@ import (
 	"google.golang.org/protobuf/types/known/timestamppb"
 
 	emuconst "github.com/siderolabs/talemu/internal/pkg/constants"
-	"github.com/siderolabs/talemu/internal/pkg/machine/network"
+	emunet "github.com/siderolabs/talemu/internal/pkg/machine/network"
 	"github.com/siderolabs/talemu/internal/pkg/machine/runtime/resources/talos"
 )
 
@@ -46,14 +49,44 @@ func NewHandler(ctx context.Context, st state.State, machineIndex int) (*Handler
 		return nil, err
 	}
 
+	var (
+		bindAddress *net.TCPAddr
+		mu          sync.Mutex
+	)
+
 	conn, err := grpc.NewClient(
 		config.TypedSpec().Endpoint,
 		grpc.WithTransportCredentials(insecure.NewCredentials()),
 		grpc.WithSharedWriteBuffer(true),
 		grpc.WithContextDialer(func(ctx context.Context, address string) (net.Conn, error) {
+			mu.Lock()
+			defer mu.Unlock()
+
 			var dialer net.Dialer
 
-			dialer.Control = network.BindToInterface(fmt.Sprintf("%s%d", constants.SideroLinkName, machineIndex))
+			if bindAddress == nil {
+				var addr *network.NodeAddress
+
+				addr, err = safe.ReaderGetByID[*network.NodeAddress](ctx, st, network.NodeAddressDefaultID)
+				if err != nil {
+					return nil, err
+				}
+
+				if len(addr.TypedSpec().Addresses) == 0 {
+					return nil, fmt.Errorf("failed to look up siderolink address")
+				}
+
+				siderolinkAddr := addr.TypedSpec().Addresses[0]
+
+				bindAddress = net.TCPAddrFromAddrPort(netip.AddrPortFrom(
+					siderolinkAddr.Addr(),
+					0,
+				))
+			}
+
+			dialer.LocalAddr = bindAddress
+
+			dialer.Control = emunet.BindToInterface(fmt.Sprintf("%s%d", constants.SideroLinkName, machineIndex))
 
 			return dialer.DialContext(ctx, "tcp", address)
 		}),

internal/pkg/machine/machine.go

@@ -76,7 +76,7 @@ func (m *Machine) Run(ctx context.Context, siderolinkParams *SideroLinkParams, m
 
 	m.logger = zap.New(core).With(zap.String("machine", m.uuid))
 
-	rt, err := truntime.NewRuntime(ctx, m.logger, machineIndex, m.globalState, kubernetes, logSink)
+	rt, err := truntime.NewRuntime(ctx, m.logger, machineIndex, m.uuid, m.globalState, kubernetes, logSink)
 	if err != nil {
 		return err
 	}

internal/pkg/machine/runtime/runtime.go

@@ -8,7 +8,6 @@ package runtime
 import (
 	"context"
 	"errors"
-	"fmt"
 	"io"
 	"os"
 	"path/filepath"
@@ -37,13 +36,11 @@ type Runtime struct {
 }
 
 // NewRuntime creates new runtime.
-func NewRuntime(ctx context.Context, logger *zap.Logger, machineIndex int, globalState state.State,
+func NewRuntime(ctx context.Context, logger *zap.Logger, machineIndex int, id string, globalState state.State,
 	kubernetes *kubefactory.Kubernetes, logSink *logging.ZapCore,
 ) (*Runtime, error) {
 	stateDir := filepath.Join("_out/state/machines", strconv.FormatInt(int64(machineIndex), 10))
 
-	id := fmt.Sprintf("machine-%d", machineIndex)
-
 	err := os.MkdirAll(stateDir, 0o664)
 	if err != nil && !errors.Is(err, os.ErrExist) {
 		return nil, err