commit 568c38c74f95612fc3c236539b037ebe490302ee
author Serge Bazanski <serge@monogon.tech> Mon Feb 05 14:40:39 2024 +0100
committer Serge Bazanski <serge@monogon.tech> Thu Feb 08 11:10:07 2024 +0000
tree 8380bdc8956c3843cce7fae9cf4c700576d22d87
parent 7eeef0f448a4ec1737e2e63961f24f51eec5deae

m/c/metroctl: use TOFU CA for Kubernetes with node pinning hack

Now that we have a persisted CA certificate in metroctl, we can use it
when generating a kubeconfig to verify the cluster.

There's a catch though: the presented node certificates do not have any
'global' name (just per-node names), and we can't easily tell Kubernetes
to trust any name from a given CA. Thus, we introduce a hack to pin the
name of the node we're connecting to within the generated kubeconfig.

Change-Id: Iea6aa5c0012c793fcb42a94c3c9bf35ea5787ab1
Reviewed-on: https://review.monogon.dev/c/monogon/+/2744
Reviewed-by: Lorenz Brun <lorenz@monogon.tech>
Tested-by: Jenkins CI

metropolis/cli/metroctl/cmd_takeownership.go

diff --git a/metropolis/cli/metroctl/cmd_takeownership.go b/metropolis/cli/metroctl/cmd_takeownership.go
index 2a93b57..18ad367 100644
--- a/metropolis/cli/metroctl/cmd_takeownership.go
+++ b/metropolis/cli/metroctl/cmd_takeownership.go
@@ -87,7 +87,7 @@
 	// TODO(q3k, issues/144): this only works as long as all nodes are kubernetes controller
 	// nodes. This won't be the case for too long. Figure this out.
 	configName := "metroctl"
-	if err := core.InstallKubeletConfig(metroctlPath, connectOptions(), configName, flags.clusterEndpoints[0]); err != nil {
+	if err := core.InstallKubeletConfig(ctx, metroctlPath, connectOptions(), configName, flags.clusterEndpoints[0]); err != nil {
 		log.Fatalf("Failed to install metroctl/k8s integration: %v", err)
 	}
 	log.Printf("Success! kubeconfig is set up. You can now run kubectl --context=%s ... to access the Kubernetes cluster.", configName)