m/c/metroctl: use TOFU CA for Kubernetes with node pinning hack Now that we have a persisted CA certificate in metroctl, we can use it when generating a kubeconfig to verify the cluster. There's a catch though: the presented node certificates do not have any 'global' name (just per-node names), and we can't easily tell Kubernetes to trust any name from a given CA. Thus, we introduce a hack to pin the name of the node we're connecting to within the generated kubeconfig. Change-Id: Iea6aa5c0012c793fcb42a94c3c9bf35ea5787ab1 Reviewed-on: https://review.monogon.dev/c/monogon/+/2744 Reviewed-by: Lorenz Brun <lorenz@monogon.tech> Tested-by: Jenkins CI

commit: 568c38c74f95612fc3c236539b037ebe490302ee [log] [tgz]
author: Serge Bazanski <serge@monogon.tech> Mon Feb 05 14:40:39 2024 +0100
committer: Serge Bazanski <serge@monogon.tech> Thu Feb 08 11:10:07 2024 +0000
tree: 8380bdc8956c3843cce7fae9cf4c700576d22d87
parent: 7eeef0f448a4ec1737e2e63961f24f51eec5deae [diff] [blame]
diff --git a/metropolis/test/launch/cli/launch-multi2/main.go b/metropolis/test/launch/cli/launch-multi2/main.go
index 141ad93..f174c98 100644
--- a/metropolis/test/launch/cli/launch-multi2/main.go
+++ b/metropolis/test/launch/cli/launch-multi2/main.go

@@ -53,7 +53,7 @@
 	}
 
 	configName := "launch-multi2"
-	if err := metroctl.InstallKubeletConfig(mpath, cl.ConnectOptions(), configName, apiservers[0]); err != nil {
+	if err := metroctl.InstallKubeletConfig(ctx, mpath, cl.ConnectOptions(), configName, apiservers[0]); err != nil {
 		log.Fatalf("InstallKubeletConfig: %v", err)
 	}
commit	568c38c74f95612fc3c236539b037ebe490302ee	[log] [tgz]
author	Serge Bazanski <serge@monogon.tech>	Mon Feb 05 14:40:39 2024 +0100
committer	Serge Bazanski <serge@monogon.tech>	Thu Feb 08 11:10:07 2024 +0000
tree	8380bdc8956c3843cce7fae9cf4c700576d22d87
parent	7eeef0f448a4ec1737e2e63961f24f51eec5deae [diff] [blame]