Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / 568c38c74f95612fc3c236539b037ebe490302ee^! / . / metropolis / cli / metroctl / cmd_k8s_configure.go
commit568c38c74f95612fc3c236539b037ebe490302ee[log] [tgz]
authorSerge Bazanski <serge@monogon.tech>Mon Feb 05 14:40:39 2024 +0100
committerSerge Bazanski <serge@monogon.tech>Thu Feb 08 11:10:07 2024 +0000
tree8380bdc8956c3843cce7fae9cf4c700576d22d87
parent7eeef0f448a4ec1737e2e63961f24f51eec5deae [diff] [blame]
m/c/metroctl: use TOFU CA for Kubernetes with node pinning hack

Now that we have a persisted CA certificate in metroctl, we can use it
when generating a kubeconfig to verify the cluster.

There's a catch though: the presented node certificates do not have any
'global' name (just per-node names), and we can't easily tell Kubernetes
to trust any name from a given CA. Thus, we introduce a hack to pin the
name of the node we're connecting to within the generated kubeconfig.

Change-Id: Iea6aa5c0012c793fcb42a94c3c9bf35ea5787ab1
Reviewed-on: https://review.monogon.dev/c/monogon/+/2744
Reviewed-by: Lorenz Brun <lorenz@monogon.tech>
Tested-by: Jenkins CI

diff --git a/metropolis/cli/metroctl/cmd_k8s_configure.go b/metropolis/cli/metroctl/cmd_k8s_configure.go
index 0e24767..4b29fb0 100644
--- a/metropolis/cli/metroctl/cmd_k8s_configure.go
+++ b/metropolis/cli/metroctl/cmd_k8s_configure.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"context"
 	"log"
 	"os"
 	"os/exec"
@@ -8,6 +9,7 @@
 	"github.com/spf13/cobra"
 
 	"source.monogon.dev/metropolis/cli/metroctl/core"
+	clicontext "source.monogon.dev/metropolis/cli/pkg/context"
 )
 
 var k8sCommand = &cobra.Command{
@@ -26,6 +28,7 @@
 }
 
 func doK8sConfigure(cmd *cobra.Command, _ []string) {
+	ctx := clicontext.WithInterrupt(context.Background())
 	if len(flags.clusterEndpoints) < 1 {
 		log.Fatalf("k8s configure requires at least one cluster endpoint to be provided with the --endpoints parameter.")
 	}
@@ -43,7 +46,7 @@
 	// TODO(q3k, issues/144): this only works as long as all nodes are kubernetes controller
 	// nodes. This won't be the case for too long. Figure this out.
 	configName := "metroctl"
-	if err := core.InstallKubeletConfig(metroctlPath, connectOptions(), configName, flags.clusterEndpoints[0]); err != nil {
+	if err := core.InstallKubeletConfig(ctx, metroctlPath, connectOptions(), configName, flags.clusterEndpoints[0]); err != nil {
 		log.Fatalf("Failed to install metroctl/k8s integration: %v", err)
 	}
 	log.Printf("Success! kubeconfig is set up. You can now run kubectl --context=%s ... to access the Kubernetes cluster.", configName)