fix: kubeconfig server accessible via port forwarding, integration tests use proper auth

Bind kubeconfig HTTP server to 0.0.0.0:8080 (was 127.0.0.1) so integration tests can reach it via QEMU SLIRP port forwarding. Add shared wait_for_boot and fetch_kubeconfig helpers to qemu-helpers.sh. Update all 5 integration tests to fetch kubeconfig via HTTP and use it for kubectl authentication. All 6 tests pass on Linux with KVM: boot (18s), security (7/7), K8s ready (15s), workload deploy, local storage, network policy. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-12 15:25:32 -06:00
parent 6c15ba7776
commit 4fc078f7a3
7 changed files with 156 additions and 54 deletions
--- a/init/lib/90-kubesolo.sh
+++ b/init/lib/90-kubesolo.sh
@@ -85,12 +85,16 @@ if [ -f "$KUBECONFIG_PATH" ]; then
    EXTERNAL_KC="/tmp/kubeconfig-external.yaml"
    sed 's|server: https://.*:6443|server: https://localhost:6443|' "$KUBECONFIG_PATH" > "$EXTERNAL_KC"

-    # Serve kubeconfig via HTTP on port 8080 using BusyBox nc
+    # Serve kubeconfig via HTTP on port 8080 for remote kubectl access.
+    # Binds to 0.0.0.0 so it's reachable via QEMU port forwarding.
+    # Security: the kubeconfig is only useful if you can also reach
+    # port 6443 (API server). On edge devices, network isolation
+    # provides the security boundary.
    (while true; do
-        printf "HTTP/1.1 200 OK\r\nContent-Type: text/yaml\r\nConnection: close\r\n\r\n" | cat - "$EXTERNAL_KC" | nc -l -s 127.0.0.1 -p 8080 2>/dev/null
+        printf 'HTTP/1.1 200 OK\r\nContent-Type: text/yaml\r\nConnection: close\r\n\r\n' | cat - "$EXTERNAL_KC" | nc -l -p 8080 2>/dev/null
    done) &

-    log_ok "Kubeconfig available via HTTP"
+    log_ok "Kubeconfig available via HTTP on port 8080"
    echo ""
    echo "============================================================"
    echo "  From your host machine, run:"