initserver: add client verification

cli/internal/terraform/terraform/qemu/main.tf

@@ -24,6 +24,11 @@ provider "docker" {
   }
 }
 
+resource "random_password" "initSecret" {
+  length           = 32
+  special          = true
+  override_special = "_%@"
+}
 resource "docker_image" "qemu_metadata" {
   name         = var.metadata_api_image
   keep_locally = true
@@ -39,6 +44,8 @@ resource "docker_container" "qemu_metadata" {
     "${var.name}-network",
     "--libvirt-uri",
     "${var.metadata_libvirt_uri}",
+    "--initsecrethash",
+    "${random_password.initSecret.bcrypt_hash}",
   ]
   mounts {
     source = abspath(var.libvirt_socket_path)
@@ -47,6 +54,8 @@ resource "docker_container" "qemu_metadata" {
   }
 }
 
+
+
 module "control_plane" {
   source          = "./modules/instance_group"
   role            = "control-plane"

cli/internal/terraform/terraform/qemu/outputs.tf

@@ -1,3 +1,8 @@
 output "ip" {
   value = module.control_plane.instance_ips[0]
 }
+
+output "initSecret" {
+  value     = random_password.initSecret.result
+  sensitive = true
+}