commit c51d47d2b9990eb2196f5790f85895987f67daf4
author Serge Bazanski <serge@monogon.tech> Tue Feb 13 18:40:26 2024 +0100
committer Serge Bazanski <serge@monogon.tech> Wed Feb 14 11:44:08 2024 +0000
tree d9264dfb89d98f993d7c243484b3f36039c15e35
parent 9c4bece001c15d6ae4793016b2e3854627b2164c

metroctl: use persisted CA certificate for node connections

After the TOFU change (review/2744 and friends), we can now use the
persisted CA certificate (or a CA certificate from TOFU) when connecting
to node services.

Change-Id: I103b558f4f7a3087f1f27fdc4ee7f7e2ec03a981
Reviewed-on: https://review.monogon.dev/c/monogon/+/2769
Tested-by: Jenkins CI
Reviewed-by: Lorenz Brun <lorenz@monogon.tech>

metropolis/cli/metroctl/cmd_node_logs.go

diff --git a/metropolis/cli/metroctl/cmd_node_logs.go b/metropolis/cli/metroctl/cmd_node_logs.go
index a04558c..36ec3de 100644
--- a/metropolis/cli/metroctl/cmd_node_logs.go
+++ b/metropolis/cli/metroctl/cmd_node_logs.go
@@ -1,7 +1,6 @@
 package main
 
 import (
-	"crypto/x509"
 	"errors"
 	"fmt"
 	"io"
@@ -79,14 +78,9 @@
 			return fmt.Errorf("node has no external address")
 		}
 
-		// TODO(q3k): save CA certificate on takeover
-		info, err := mgmt.GetClusterInfo(ctx, &api.GetClusterInfoRequest{})
+		cacert, err := core.GetClusterCAWithTOFU(ctx, connectOptions())
 		if err != nil {
-			return fmt.Errorf("couldn't get cluster info: %w", err)
-		}
-		cacert, err := x509.ParseCertificate(info.CaCertificate)
-		if err != nil {
-			return fmt.Errorf("remote CA certificate invalid: %w", err)
+			return fmt.Errorf("could not get CA certificate: %w", err)
 		}
 
 		fmt.Printf("=== Logs from %s (%s):\n", n.Id, n.Status.ExternalAddress)