Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / c51d47d2b9990eb2196f5790f85895987f67daf4^! / . / metropolis / cli / metroctl / cmd_node.go
commitc51d47d2b9990eb2196f5790f85895987f67daf4[log] [tgz]
authorSerge Bazanski <serge@monogon.tech>Tue Feb 13 18:40:26 2024 +0100
committerSerge Bazanski <serge@monogon.tech>Wed Feb 14 11:44:08 2024 +0000
treed9264dfb89d98f993d7c243484b3f36039c15e35
parent9c4bece001c15d6ae4793016b2e3854627b2164c [diff] [blame]
metroctl: use persisted CA certificate for node connections

After the TOFU change (review/2744 and friends), we can now use the
persisted CA certificate (or a CA certificate from TOFU) when connecting
to node services.

Change-Id: I103b558f4f7a3087f1f27fdc4ee7f7e2ec03a981
Reviewed-on: https://review.monogon.dev/c/monogon/+/2769
Tested-by: Jenkins CI
Reviewed-by: Lorenz Brun <lorenz@monogon.tech>

diff --git a/metropolis/cli/metroctl/cmd_node.go b/metropolis/cli/metroctl/cmd_node.go
index a2946bf..a582f02 100644
--- a/metropolis/cli/metroctl/cmd_node.go
+++ b/metropolis/cli/metroctl/cmd_node.go

@@ -2,7 +2,6 @@
 
 import (
 	"context"
-	"crypto/x509"
 	"fmt"
 	"io"
 	"log"
@@ -94,17 +93,13 @@
 		}
 
 		ctx := clicontext.WithInterrupt(context.Background())
-		mgmt := apb.NewManagementClient(dialAuthenticated(ctx))
 
-		// TODO(q3k): save CA certificate on takeover
-		info, err := mgmt.GetClusterInfo(ctx, &apb.GetClusterInfoRequest{})
+		cacert, err := core.GetClusterCAWithTOFU(ctx, connectOptions())
 		if err != nil {
-			return fmt.Errorf("couldn't get cluster info: %w", err)
+			return fmt.Errorf("could not get CA certificate: %w", err)
 		}
-		cacert, err := x509.ParseCertificate(info.CaCertificate)
-		if err != nil {
-			return fmt.Errorf("remote CA certificate invalid: %w", err)
-		}
+
+		mgmt := apb.NewManagementClient(dialAuthenticated(ctx))
 
 		nodes, err := core.GetNodes(ctx, mgmt, "")
 		if err != nil {