Fix host KUBECONFIG leakage in VM bootstrap and tunnel scripts

scripts/argocd-ui-tunnel.ps1

@@ -11,7 +11,7 @@ if ($status -notmatch ',state,running') {
 }
 
 Write-Host '[ops-demo] Ensuring VM-side port-forward is running...'
-vagrant ssh -c "pgrep -f 'kubectl -n argocd port-forward svc/argocd-server 8080:443' >/dev/null || nohup kubectl -n argocd port-forward svc/argocd-server 8080:443 >/tmp/argocd-port-forward.log 2>&1 &" | Out-Null
+vagrant ssh -c "export KUBECONFIG=/home/vagrant/.kube/config; pgrep -f 'kubectl -n argocd port-forward svc/argocd-server 8080:443' >/dev/null || nohup kubectl -n argocd port-forward svc/argocd-server 8080:443 >/tmp/argocd-port-forward.log 2>&1 &" | Out-Null
 
 Write-Host '[ops-demo] Opening SSH tunnel localhost:8080 -> VM:8080'
 Write-Host '[ops-demo] Keep this terminal open while using https://localhost:8080'

scripts/argocd-ui-tunnel.sh

@@ -17,7 +17,7 @@ if ! vagrant status --machine-readable | rg -q ',state,running'; then
 fi
 
 echo "[ops-demo] Ensuring VM-side port-forward is running..."
-vagrant ssh -c "pgrep -f 'kubectl -n argocd port-forward svc/argocd-server 8080:443' >/dev/null || nohup kubectl -n argocd port-forward svc/argocd-server 8080:443 >/tmp/argocd-port-forward.log 2>&1 &" >/dev/null
+vagrant ssh -c "export KUBECONFIG=/home/vagrant/.kube/config; pgrep -f 'kubectl -n argocd port-forward svc/argocd-server 8080:443' >/dev/null || nohup kubectl -n argocd port-forward svc/argocd-server 8080:443 >/tmp/argocd-port-forward.log 2>&1 &" >/dev/null
 
 echo "[ops-demo] Opening SSH tunnel localhost:8080 -> VM:8080"
 echo "[ops-demo] Keep this terminal open while using https://localhost:8080"

scripts/bootstrap-from-host.ps1

@@ -16,7 +16,7 @@ Write-Host '[ops-demo] Checking VM status...'
 Ensure-VagrantRunning
 
 Write-Host '[ops-demo] Running bootstrap in VM...'
-$output = vagrant ssh -c "cd /vagrant && ./scripts/bootstrap.sh" | Out-String
+$output = vagrant ssh -c "export KUBECONFIG=/home/vagrant/.kube/config; cd /vagrant && ./scripts/bootstrap.sh" | Out-String
 Write-Host $output
 
 $password = $null
@@ -25,7 +25,7 @@ if ($output -match 'ArgoCD admin-wachtwoord:\s*(\S+)') {
 }
 
 if (-not $password) {
-  $fallback = vagrant ssh -c "kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath='{.data.password}' | base64 -d" | Out-String
+  $fallback = vagrant ssh -c "export KUBECONFIG=/home/vagrant/.kube/config; kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath='{.data.password}' | base64 -d" | Out-String
   $password = $fallback.Trim()
 }
 

scripts/bootstrap-from-host.sh

@@ -24,11 +24,11 @@ log_file="$(mktemp)"
 trap 'rm -f "${log_file}"' EXIT
 
 echo "[ops-demo] Running bootstrap in VM..."
-vagrant ssh -c "cd /vagrant && ./scripts/bootstrap.sh" | tee "${log_file}"
+vagrant ssh -c "export KUBECONFIG=/home/vagrant/.kube/config; cd /vagrant && ./scripts/bootstrap.sh" | tee "${log_file}"
 
 password="$(sed -n 's/.*ArgoCD admin-wachtwoord: //p' "${log_file}" | tail -n 1 | tr -d '\r')"
 if [[ -z "${password}" ]]; then
-  password="$(vagrant ssh -c "kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath='{.data.password}' | base64 -d" 2>/dev/null | tr -d '\r')"
+  password="$(vagrant ssh -c "export KUBECONFIG=/home/vagrant/.kube/config; kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath='{.data.password}' | base64 -d" 2>/dev/null | tr -d '\r')"
 fi
 
 echo ""

scripts/bootstrap.sh

@@ -43,6 +43,11 @@ require_cmd git
 require_cmd kubectl
 require_cmd helm
 
+# vagrant ssh -c can inherit host KUBECONFIG; force VM kubeconfig for safety.
+if [[ -f /home/vagrant/.kube/config ]]; then
+  export KUBECONFIG=/home/vagrant/.kube/config
+fi
+
 if ! kubectl get nodes >/dev/null 2>&1; then
   die "kubectl kan het cluster niet bereiken. Log in op de VM met 'vagrant ssh' en run het script vanaf /vagrant."
 fi