From e048079fa6cd767c580f1446034efcb1d12e631e Mon Sep 17 00:00:00 2001
From: Philipp <philipp@doran.133011.xyz>
Date: Sat, 28 Mar 2026 23:14:57 +0100
Subject: [PATCH] fix: persist a durable kubeconfig after bootstrap

---
 scripts/hetzner/bootstrap.sh | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/scripts/hetzner/bootstrap.sh b/scripts/hetzner/bootstrap.sh
index 7996c5f..534a30b 100755
--- a/scripts/hetzner/bootstrap.sh
+++ b/scripts/hetzner/bootstrap.sh
@@ -385,6 +385,32 @@ else
   done
 fi
 
+DURABLE_K3S_API_URL="$K3S_API_URL"
+DURABLE_INSECURE_SKIP_TLS_VERIFY=0
+if [[ "$USE_SSH_TUNNEL_FOR_K3S" == "1" ]]; then
+  if [[ -n "${TAILSCALE_CONTROL_PLANE_HOSTNAME:-}" ]]; then
+    DURABLE_K3S_API_URL="https://${TAILSCALE_CONTROL_PLANE_HOSTNAME}:6443"
+  elif [[ "$TF_ADMIN_CIDR_BLOCKS" != '[]' ]]; then
+    DURABLE_K3S_API_URL="https://${SERVER_IP}:6443"
+    DURABLE_INSECURE_SKIP_TLS_VERIFY=1
+  fi
+fi
+python3 - "$KUBECONFIG_PATH" "$DURABLE_K3S_API_URL" "$DURABLE_INSECURE_SKIP_TLS_VERIFY" <<'PY'
+import sys
+import yaml
+path, server, insecure = sys.argv[1], sys.argv[2], sys.argv[3] == '1'
+config = yaml.safe_load(open(path))
+cluster = config['clusters'][0]['cluster']
+cluster['server'] = server
+if insecure:
+    cluster.pop('certificate-authority-data', None)
+    cluster['insecure-skip-tls-verify'] = True
+else:
+    cluster.pop('insecure-skip-tls-verify', None)
+yaml.safe_dump(config, open(path, 'w'), sort_keys=False)
+PY
+K3S_API_URL="$DURABLE_K3S_API_URL"
+
 echo "bootstrap complete"
 echo "project_name=$PROJECT_NAME"
 echo "project_namespace=$PROJECT_NAMESPACE"