From 4d77c820123c26d9a2a6d219c6753d169bbde1b9 Mon Sep 17 00:00:00 2001 From: Paul Harkink Date: Sat, 28 Feb 2026 19:00:15 +0100 Subject: [PATCH] Fix host KUBECONFIG leakage in VM bootstrap and tunnel scripts --- scripts/argocd-ui-tunnel.ps1 | 2 +- scripts/argocd-ui-tunnel.sh | 2 +- scripts/bootstrap-from-host.ps1 | 4 ++-- scripts/bootstrap-from-host.sh | 4 ++-- scripts/bootstrap.sh | 5 +++++ 5 files changed, 11 insertions(+), 6 deletions(-) diff --git a/scripts/argocd-ui-tunnel.ps1 b/scripts/argocd-ui-tunnel.ps1 index 8e7bc7b..6827de7 100644 --- a/scripts/argocd-ui-tunnel.ps1 +++ b/scripts/argocd-ui-tunnel.ps1 @@ -11,7 +11,7 @@ if ($status -notmatch ',state,running') { } Write-Host '[ops-demo] Ensuring VM-side port-forward is running...' -vagrant ssh -c "pgrep -f 'kubectl -n argocd port-forward svc/argocd-server 8080:443' >/dev/null || nohup kubectl -n argocd port-forward svc/argocd-server 8080:443 >/tmp/argocd-port-forward.log 2>&1 &" | Out-Null +vagrant ssh -c "export KUBECONFIG=/home/vagrant/.kube/config; pgrep -f 'kubectl -n argocd port-forward svc/argocd-server 8080:443' >/dev/null || nohup kubectl -n argocd port-forward svc/argocd-server 8080:443 >/tmp/argocd-port-forward.log 2>&1 &" | Out-Null Write-Host '[ops-demo] Opening SSH tunnel localhost:8080 -> VM:8080' Write-Host '[ops-demo] Keep this terminal open while using https://localhost:8080' diff --git a/scripts/argocd-ui-tunnel.sh b/scripts/argocd-ui-tunnel.sh index 37ffd48..e8ed3e1 100755 --- a/scripts/argocd-ui-tunnel.sh +++ b/scripts/argocd-ui-tunnel.sh @@ -17,7 +17,7 @@ if ! vagrant status --machine-readable | rg -q ',state,running'; then fi echo "[ops-demo] Ensuring VM-side port-forward is running..." -vagrant ssh -c "pgrep -f 'kubectl -n argocd port-forward svc/argocd-server 8080:443' >/dev/null || nohup kubectl -n argocd port-forward svc/argocd-server 8080:443 >/tmp/argocd-port-forward.log 2>&1 &" >/dev/null +vagrant ssh -c "export KUBECONFIG=/home/vagrant/.kube/config; pgrep -f 'kubectl -n argocd port-forward svc/argocd-server 8080:443' >/dev/null || nohup kubectl -n argocd port-forward svc/argocd-server 8080:443 >/tmp/argocd-port-forward.log 2>&1 &" >/dev/null echo "[ops-demo] Opening SSH tunnel localhost:8080 -> VM:8080" echo "[ops-demo] Keep this terminal open while using https://localhost:8080" diff --git a/scripts/bootstrap-from-host.ps1 b/scripts/bootstrap-from-host.ps1 index 0cd4341..d9ff089 100644 --- a/scripts/bootstrap-from-host.ps1 +++ b/scripts/bootstrap-from-host.ps1 @@ -16,7 +16,7 @@ Write-Host '[ops-demo] Checking VM status...' Ensure-VagrantRunning Write-Host '[ops-demo] Running bootstrap in VM...' -$output = vagrant ssh -c "cd /vagrant && ./scripts/bootstrap.sh" | Out-String +$output = vagrant ssh -c "export KUBECONFIG=/home/vagrant/.kube/config; cd /vagrant && ./scripts/bootstrap.sh" | Out-String Write-Host $output $password = $null @@ -25,7 +25,7 @@ if ($output -match 'ArgoCD admin-wachtwoord:\s*(\S+)') { } if (-not $password) { - $fallback = vagrant ssh -c "kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath='{.data.password}' | base64 -d" | Out-String + $fallback = vagrant ssh -c "export KUBECONFIG=/home/vagrant/.kube/config; kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath='{.data.password}' | base64 -d" | Out-String $password = $fallback.Trim() } diff --git a/scripts/bootstrap-from-host.sh b/scripts/bootstrap-from-host.sh index afbb69b..e73c721 100755 --- a/scripts/bootstrap-from-host.sh +++ b/scripts/bootstrap-from-host.sh @@ -24,11 +24,11 @@ log_file="$(mktemp)" trap 'rm -f "${log_file}"' EXIT echo "[ops-demo] Running bootstrap in VM..." -vagrant ssh -c "cd /vagrant && ./scripts/bootstrap.sh" | tee "${log_file}" +vagrant ssh -c "export KUBECONFIG=/home/vagrant/.kube/config; cd /vagrant && ./scripts/bootstrap.sh" | tee "${log_file}" password="$(sed -n 's/.*ArgoCD admin-wachtwoord: //p' "${log_file}" | tail -n 1 | tr -d '\r')" if [[ -z "${password}" ]]; then - password="$(vagrant ssh -c "kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath='{.data.password}' | base64 -d" 2>/dev/null | tr -d '\r')" + password="$(vagrant ssh -c "export KUBECONFIG=/home/vagrant/.kube/config; kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath='{.data.password}' | base64 -d" 2>/dev/null | tr -d '\r')" fi echo "" diff --git a/scripts/bootstrap.sh b/scripts/bootstrap.sh index fee2156..81f4d47 100755 --- a/scripts/bootstrap.sh +++ b/scripts/bootstrap.sh @@ -43,6 +43,11 @@ require_cmd git require_cmd kubectl require_cmd helm +# vagrant ssh -c can inherit host KUBECONFIG; force VM kubeconfig for safety. +if [[ -f /home/vagrant/.kube/config ]]; then + export KUBECONFIG=/home/vagrant/.kube/config +fi + if ! kubectl get nodes >/dev/null 2>&1; then die "kubectl kan het cluster niet bereiken. Log in op de VM met 'vagrant ssh' en run het script vanaf /vagrant." fi