fix(applycheck): correct YAML field names against real Talos schema

Walker was using YAML keys I guessed from Talos doc strings, not
verified against the actual v1alpha1 struct tags. Two of them were
wrong, silently turning the walker into a no-op for the affected
document class:

  - BridgeConfig: tag is 'links' (BridgeLinks), I had 'ports'.
  - VLANConfig parent: tag is 'parent' (ParentLinkConfig), I had
    'link'.

Real-Talos consequence: BridgeConfig slaves were never validated;
VLANConfig parent was never validated. The unit tests passed only
because the fixture YAML mirrored my (wrong) guess.

Also adds HCloudVIPConfig (hcloud_vip.go LinkName 'yaml:link') to
the dispatch table; it has the same Layer2VIPConfig shape and
shares the handler.

New test TestWalkRefs_v1_12_RealTalosYAMLKeys pins each tag against
its struct definition so a future tag rename in machinery (or
another walker oversight) surfaces immediately.

Verified on the dev17 OCI cluster: BridgeConfig with a typoed
'missing-port' in .links[] now blocks; VLANConfig with a typoed
'ghost-parent' in .parent now blocks. Pre-fix both went silent.

Refs: #172
Signed-off-by: Aleksei Sviridkin <f@lex.la>

Author: lexfrei

pkg/applycheck/refs.go

@@ -172,11 +172,19 @@ var multidocHandlers = map[string]multidocHandler{
 	// BridgeConfig/VLANConfig below, which intentionally do NOT validate
 	// their own .name field — those names describe a virtual link being
 	// created by the apply, not an existing one to reference.
+	//
+	// YAML field names mirror Talos's v1alpha1 schema verbatim:
+	//
+	//   - bond.go BondLinks ->  `links`
+	//   - bridge.go BridgeLinks -> `links` (NOT `ports`)
+	//   - vlan.go ParentLinkConfig -> `parent` (NOT `link`)
+	//   - layer2_vip.go LinkName -> `link`
 	"LinkConfig":       handleNameOnly,
 	"BondConfig":       handleListOnly("links"),
 	"VLANConfig":       handleParentOnly,
-	"BridgeConfig":     handleListOnly("ports"),
+	"BridgeConfig":     handleListOnly("links"),
 	"Layer2VIPConfig":  handleLayer2VIP,
+	"HCloudVIPConfig":  handleLayer2VIP,
 	"UserVolumeConfig": handleUserVolume,
 }
 
@@ -208,14 +216,16 @@ func handleListOnly(listKey string) multidocHandler {
 
 // handleParentOnly emits only the parent reference of a VLAN doc, not
 // its own .name. The .name is the VLAN tag's child link name (a new
-// virtual link being created); the .link is the parent that must exist.
+// virtual link being created); the .parent is the parent that must
+// exist. The YAML key in v1alpha1 is `parent`, not `link`
+// (vlan.go ParentLinkConfig `yaml:"parent"`).
 func handleParentOnly(refs []Ref, doc map[string]any, basePath string) []Ref {
-	parent, ok := doc["link"].(string)
+	parent, ok := doc["parent"].(string)
 	if !ok || parent == "" {
 		return refs
 	}
 
-	return append(refs, Ref{Kind: RefKindLink, Name: parent, Source: basePath + ".link"})
+	return append(refs, Ref{Kind: RefKindLink, Name: parent, Source: basePath + ".parent"})
 }
 
 func handleLayer2VIP(refs []Ref, doc map[string]any, basePath string) []Ref {

pkg/applycheck/refs_test.go

@@ -57,7 +57,7 @@ addresses:
 apiVersion: v1alpha1
 kind: VLANConfig
 name: eth0.4000
-link: eth0
+parent: eth0
 vlanID: 4000
 ---
 apiVersion: v1alpha1
@@ -70,7 +70,7 @@ links:
 apiVersion: v1alpha1
 kind: BridgeConfig
 name: br0
-ports:
+links:
   - eth3
   - bond0
 ---
@@ -128,26 +128,26 @@ func TestWalkRefs_v1_12_ExtractsLinksFromMultidocAndDiskSelector(t *testing.T) {
 	// Walker emits only references to *existing* links, not names of
 	// virtual links being created by the apply. So:
 	//   - LinkConfig.name -> emitted (override of an existing physical NIC)
-	//   - VLANConfig.link -> emitted (the parent link must exist)
+	//   - VLANConfig.parent -> emitted (the parent link must exist)
 	//   - VLANConfig.name -> NOT emitted (the VLAN child is being created)
 	//   - BondConfig.links[] -> emitted (slave NICs must exist)
 	//   - BondConfig.name -> NOT emitted (the bond is being created)
-	//   - BridgeConfig.ports[] -> emitted (port NICs must exist)
+	//   - BridgeConfig.links[] -> emitted (port NICs must exist)
 	//   - BridgeConfig.name -> NOT emitted (the bridge is being created)
-	wantLinks := []string{"eth0" /* LinkConfig.name + VLANConfig.link parent */, "eth1", "eth2" /* BondConfig.links */, "eth3" /* BridgeConfig.ports */}
+	wantLinks := []string{"eth0" /* LinkConfig.name + VLANConfig.parent */, "eth1", "eth2" /* BondConfig.links */, "eth3" /* BridgeConfig.links */}
 	for _, name := range wantLinks {
 		if _, ok := findRef(refs, applycheck.RefKindLink, name); !ok {
 			t.Errorf("expected link ref for %q, got refs=%+v", name, refs)
 		}
 	}
 
 	// Names of virtual links being created must NOT surface (bond0 is
-	// a BondConfig.name + a BridgeConfig.ports[] entry; the .name path
-	// should not appear, only the .ports[] one. eth0.4000 is a
+	// a BondConfig.name + a BridgeConfig.links[] entry; the .name path
+	// should not appear, only the .links[] one. eth0.4000 is a
 	// VLANConfig.name with no other references — should not appear at
 	// all).
 	if _, ok := findRef(refs, applycheck.RefKindLink, "eth0.4000"); ok {
-		t.Errorf("VLANConfig.name (eth0.4000) leaked as a ref; only the .link parent should validate")
+		t.Errorf("VLANConfig.name (eth0.4000) leaked as a ref; only the .parent should validate")
 	}
 
 	// Layer2VIPConfig.link is a distinct ref site. Use a name that no other
@@ -197,6 +197,96 @@ func TestWalkRefs_EmptyInput_NoRefsNoError(t *testing.T) {
 	}
 }
 
+// TestWalkRefs_v1_12_RealTalosYAMLKeys pins the exact YAML field
+// names Talos's v1alpha1 schema uses (verified against
+// pkg/machinery/config/types/network/* in the cozystack/talos fork
+// v0.0.0-20260126122716):
+//
+//   - bond.go BondLinks `yaml:"links"`
+//   - bridge.go BridgeLinks `yaml:"links"` (NOT `ports`)
+//   - vlan.go ParentLinkConfig `yaml:"parent"` (NOT `link`)
+//   - layer2_vip.go LinkName `yaml:"link"`
+//   - hcloud_vip.go LinkName `yaml:"link"`
+//
+// Without this contract a renamed YAML key in machinery would
+// silently turn the walker into a no-op for the affected document
+// class and Phase 1 would stop catching typos in those refs. This
+// case was caught only by exercising a real cluster.
+func TestWalkRefs_v1_12_RealTalosYAMLKeys(t *testing.T) {
+	t.Parallel()
+
+	body := `apiVersion: v1alpha1
+kind: VLANConfig
+name: ens5.42
+parent: ens5
+vlanID: 42
+---
+apiVersion: v1alpha1
+kind: BridgeConfig
+name: br0
+links:
+  - ens6
+  - ens7
+---
+apiVersion: v1alpha1
+kind: BondConfig
+name: bond0
+links:
+  - ens8
+  - ens9
+---
+apiVersion: v1alpha1
+kind: Layer2VIPConfig
+name: 10.0.0.1
+link: bond0
+---
+apiVersion: v1alpha1
+kind: HCloudVIPConfig
+name: 10.0.0.2
+link: bond0
+`
+	refs, err := applycheck.WalkRefs([]byte(body))
+	if err != nil {
+		t.Fatalf("WalkRefs: %v", err)
+	}
+
+	want := []struct {
+		name   string
+		source string // suffix
+	}{
+		{"ens5", ".parent"},   // VLANConfig.parent (NOT .link)
+		{"ens6", ".links[0]"}, // BridgeConfig.links (NOT .ports)
+		{"ens7", ".links[1]"},
+		{"ens8", ".links[0]"}, // BondConfig.links
+		{"ens9", ".links[1]"},
+		{"bond0", ".link"}, // Layer2VIPConfig.link + HCloudVIPConfig.link
+	}
+
+	for _, w := range want {
+		var found bool
+
+		for _, r := range refs {
+			if r.Kind == applycheck.RefKindLink && r.Name == w.name && strings.HasSuffix(r.Source, w.source) {
+				found = true
+
+				break
+			}
+		}
+
+		if !found {
+			t.Errorf("expected link ref %q with source suffix %q, got refs=%+v", w.name, w.source, refs)
+		}
+	}
+
+	// Virtual-link names (the doc's own .name on VLAN/Bond/Bridge)
+	// must NOT surface as refs.
+	for _, fake := range []string{"ens5.42", "br0", "bond0"} {
+		if _, ok := findRef(refs, applycheck.RefKindLink, fake); ok && fake != "bond0" {
+			t.Errorf("name %q leaked as a ref; only existing-link refs should be emitted", fake)
+		}
+	}
+}
+
 // TestWalkRefs_AccidentalEncodings_Tolerated pins three real-world
 // shapes that come out of editors and unzipping operations: a UTF-8
 // BOM at the head of the file (common Windows artifact), CRLF line