feat(talos): ensure deterministic config generation with secrets

CHANGELOG.md

@@ -2,6 +2,17 @@
 
 All notable changes to this project will be documented in this file.
 
+## [1.1.2] - 2025-08-31
+
+### Fixed
+- `TalosCluster::genConfigWithSecrets()` now invokes `talosctl gen config` with `--with-secrets` using a temporary secrets YAML, ensuring deterministic config generation when reusing the same `TalosSecrets`. The method still applies the patch from `TalosSecrets::toPatch()` idempotently after generation.
+
+### Tests
+- Added `tests/Feature/InMemoryDeterminismWithSecretsTest.php` to verify that generating in memory twice with the same secrets yields identical YAML and that `--with-secrets` is passed through.
+
+### Notes
+- No public API changes. README remains accurate; secrets workflow and usage stay the same.
+
 ## [1.1.1] - 2025-08-30
 
 ### Fixed

src/TalosCluster.php

@@ -244,14 +244,30 @@ public function genTalosconfig(string $cluster, string $endpoint, array $flags =
     /** @param array<int|string, string|bool> $flags */
     public function genConfigWithSecrets(string $cluster, string $endpoint, string $outputDir, TalosSecrets $secrets, array $flags = []): string
     {
-        $dir = $this->genConfig($cluster, $endpoint, $outputDir, $flags);
-        $patch = $secrets->toPatch();
-        if ($patch !== []) {
-            $this->patchYaml($dir.'/controlplane.yaml', $patch);
-            $this->patchYaml($dir.'/worker.yaml', $patch);
-        }
+        // Write secrets to a temporary YAML file and pass via --with-secrets so
+        // talosctl derives all inlined values deterministically from these secrets.
+        $tmpSecrets = mb_rtrim(sys_get_temp_dir(), '/').'/talos-secrets-'.uniqid().'.yaml';
+        @mkdir(dirname($tmpSecrets), 0775, true);
+        file_put_contents($tmpSecrets, $secrets->toYaml());
+
+        try {
+            // Merge existing flags with --with-secrets
+            $flagsWithSecrets = $flags;
+            $flagsWithSecrets['--with-secrets'] = $tmpSecrets;
+
+            $dir = $this->genConfig($cluster, $endpoint, $outputDir, $flagsWithSecrets);
+
+            // Idempotent: keep patch step in case callers rely on partial patches.
+            $patch = $secrets->toPatch();
+            if ($patch !== []) {
+                $this->patchYaml($dir.'/controlplane.yaml', $patch);
+                $this->patchYaml($dir.'/worker.yaml', $patch);
+            }
 
-        return $dir;
+            return $dir;
+        } finally {
+            @unlink($tmpSecrets);
+        }
     }
 
     /** @param  array<int, string>  $args

tests/Feature/InMemoryDeterminismWithSecretsTest.php

@@ -0,0 +1,52 @@
+<?php
+
+declare(strict_types=1);
+
+use ArioLabs\Talos\Builders\ClusterBuilder;
+use ArioLabs\Talos\TalosCluster;
+use ArioLabs\Talos\TalosSecrets;
+use Tests\Fakes\ProcessRunnerWritingFake;
+
+it('generates identical YAML on repeated in-memory runs with same secrets', function (): void {
+    $runner = new ProcessRunnerWritingFake();
+    $talos = new TalosCluster($runner);
+
+    $builder = new ClusterBuilder($talos, 'demo', 'https://10.0.0.1:6443');
+
+    // Fixed secrets payload we expect to drive deterministic generation
+    $secrets = TalosSecrets::fromArray([
+        'cluster' => [
+            'id' => 'static-cluster-id',
+            'secret' => 'static-cluster-secret',
+        ],
+        'machine' => [
+            'ca' => [
+                'crt' => 'CERTDATA',
+                'key' => 'KEYDATA',
+            ],
+        ],
+    ]);
+
+    // First generation
+    $configs1 = $builder
+        ->secrets($secrets)
+        ->generateInMemory();
+
+    // Second generation with same builder/secrets
+    $configs2 = $builder->generateInMemory();
+
+    // Ensure we passed secrets through to talosctl via --with-secrets
+    $firstArgs = $runner->calls[0] ?? [];
+    $hasWithSecrets = false;
+    foreach ($firstArgs as $arg) {
+        if (is_string($arg) && str_starts_with($arg, '--with-secrets=')) {
+            $hasWithSecrets = true;
+            break;
+        }
+    }
+    expect($hasWithSecrets)->toBeTrue();
+
+    // Deterministic: resulting YAML strings are identical between runs
+    expect($configs1->controlplane())->toBe($configs2->controlplane());
+    expect($configs1->worker())->toBe($configs2->worker());
+});