From a66ae788f6cfaf3ab88c04ae84eb3946aa0b374c Mon Sep 17 00:00:00 2001
From: MichaelFisher1997 <contact@michaelfisher.tech>
Date: Tue, 3 Mar 2026 08:55:22 +0000
Subject: [PATCH] fix: run Cilium install with sudo and explicit kubeconfig

Use sudo for helm/kubectl on cp-1 and pass /etc/kubernetes/admin.conf so controller can install Cilium without permission errors.
---
 nixos/kubeadm/bootstrap/controller.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/nixos/kubeadm/bootstrap/controller.py b/nixos/kubeadm/bootstrap/controller.py
index f758d42..0c7b393 100755
--- a/nixos/kubeadm/bootstrap/controller.py
+++ b/nixos/kubeadm/bootstrap/controller.py
@@ -316,12 +316,12 @@ class Controller:
             self.log("CNI install already complete")
             return
         self.log("Installing or upgrading Cilium")
-        self.remote(self.primary_ip, "helm repo add cilium https://helm.cilium.io >/dev/null 2>&1 || true")
-        self.remote(self.primary_ip, "helm repo update >/dev/null")
-        self.remote(self.primary_ip, "kubectl create namespace kube-system >/dev/null 2>&1 || true")
+        self.remote(self.primary_ip, "sudo helm repo add cilium https://helm.cilium.io >/dev/null 2>&1 || true")
+        self.remote(self.primary_ip, "sudo helm repo update >/dev/null")
+        self.remote(self.primary_ip, "sudo kubectl --kubeconfig /etc/kubernetes/admin.conf create namespace kube-system >/dev/null 2>&1 || true")
         self.remote(
             self.primary_ip,
-            "helm upgrade --install cilium cilium/cilium --namespace kube-system --set kubeProxyReplacement=true",
+            "sudo KUBECONFIG=/etc/kubernetes/admin.conf helm upgrade --install cilium cilium/cilium --namespace kube-system --set kubeProxyReplacement=true",
         )
         self.mark_done("cni_installed")