fix: enable kubelet HTTP API with proper 501 responses for unsupported operations

The kubelet HTTPS listener on :10250 was never started because the VK
library's runHTTP() requires both TLSConfig and Handler to be set on
NodeConfig — neither was, so it silently exited on every startup.

This meant kubectl logs, kubectl exec, kubectl port-forward, and kubectl
attach all resulted in connection refused rather than a meaningful HTTP
error. Any metrics scraper hitting the kubelet endpoint also got nothing.

Changes:
- cmd/cisco-vk/run.go: generate a self-signed ECDSA TLS certificate at
  startup and set it on NodeConfig.TLSConfig so runHTTP() starts the
  listener. Build a custom PodHandlerConfig with nil for all unsupported
  operations (logs, exec, attach, port-forward, stats, metrics) so the
  VK library's built-in NotImplemented handler returns HTTP 501 instead
  of calling through to the provider stub and returning HTTP 500. Uses a
  closure pattern to wire the mux after the provider is created while
  satisfying the Handler requirement before NewNode() runs.
- internal/provider/provider.go: fix AttachToContainer to return a proper
  error instead of writing a hardcoded string and returning nil — the
  prior implementation kept streaming connections open indefinitely.

HTTP status codes after this change:
  GET  /pods                  → 200 (was: connection refused)
  GET  /containerLogs/...     → 501 Not Implemented (was: connection refused)
  POST /exec/...              → 501 Not Implemented (was: connection refused)
  POST /attach/...            → 501 Not Implemented (was: connection refused)
  POST /portForward/...       → 501 Not Implemented (was: connection refused)
  GET  /stats/summary         → 404 route not registered (was: connection refused)
  GET  /metrics/resource      → 404 route not registered (was: connection refused)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: cunningr-cisco

cmd/cisco-vk/run.go

@@ -16,12 +16,23 @@ package main
 
 import (
 	"context"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
 	"fmt"
+	"math/big"
+	"net"
+	"net/http"
 	"os"
 	"os/signal"
 	"path"
 	"runtime"
 	"syscall"
+	"time"
 
 	"github.com/cisco/virtual-kubelet-cisco/internal/config"
 	"github.com/cisco/virtual-kubelet-cisco/internal/drivers"
@@ -31,10 +42,13 @@ import (
 	"github.com/virtual-kubelet/virtual-kubelet/log"
 	"github.com/virtual-kubelet/virtual-kubelet/log/logrus"
 	"github.com/virtual-kubelet/virtual-kubelet/node"
+	"github.com/virtual-kubelet/virtual-kubelet/node/api"
 	"github.com/virtual-kubelet/virtual-kubelet/node/nodeutil"
+	v1 "k8s.io/api/core/v1"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
+	"k8s.io/apimachinery/pkg/labels"
 )
 
 // Interface Guards
@@ -192,12 +206,33 @@ func runVirtualKubelet(cmd *cobra.Command, args []string) error {
 	}
 	effectiveNodeName = provider.GetNodeName(effectiveNodeName, appCfg.Device.Address)
 
+	tlsCfg, err := generateSelfSignedTLS(appCfg.Device.Address)
+	if err != nil {
+		return fmt.Errorf("failed to generate TLS config for kubelet API: %w", err)
+	}
+
+	// innerHandler is set inside newProviderFunc (after the provider is created) and
+	// read by the handlerWrapper below. This closure pattern lets us satisfy the
+	// NodeConfig.Handler requirement before the provider exists, while still wiring
+	// the real mux once the provider is available.
+	var innerHandler http.Handler
+
+	handlerWrapper := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if innerHandler != nil {
+			innerHandler.ServeHTTP(w, r)
+			return
+		}
+		http.Error(w, "provider not yet initialised", http.StatusServiceUnavailable)
+	})
+
 	opts := []nodeutil.NodeOpt{
 		nodeutil.WithNodeConfig(nodeutil.NodeConfig{
 			Client:         clientset,
 			NodeSpec:       provider.GetInitialNodeSpec(effectiveNodeName, appCfg.Device.Address),
 			HTTPListenAddr: ":10250",
 			NumWorkers:     5,
+			TLSConfig:      tlsCfg,
+			Handler:        handlerWrapper,
 		}),
 	}
 
@@ -214,6 +249,29 @@ func runVirtualKubelet(cmd *cobra.Command, args []string) error {
 		if err != nil {
 			return nil, nil, fmt.Errorf("failed to initialise PodHandler: %w", err)
 		}
+
+		// Build a custom PodHandlerConfig that only wires supported operations.
+		// Unsupported methods are left nil so the VK library returns HTTP 501
+		// automatically via its built-in NotImplemented handler, rather than
+		// calling through to the provider stub and returning HTTP 500.
+		mux := http.NewServeMux()
+		mux.Handle("/", api.PodHandler(api.PodHandlerConfig{
+			GetPods: podHandler.GetPods,
+			GetPodsFromKubernetes: func(ctx context.Context) ([]*v1.Pod, error) {
+				return vkCfg.Pods.List(labels.Everything())
+			},
+			StreamIdleTimeout:     0,
+			StreamCreationTimeout: 0,
+			// Explicitly nil — library returns HTTP 501 for each of these:
+			RunInContainer:     nil,
+			AttachToContainer:  nil,
+			GetContainerLogs:   nil,
+			PortForward:        nil,
+			GetStatsSummary:    nil,
+			GetMetricsResource: nil,
+		}, true))
+		innerHandler = mux
+
 		return podHandler, nodeHandler, nil
 	}
 	n, err := nodeutil.NewNode(effectiveNodeName, newProviderFunc, opts...)
@@ -228,3 +286,63 @@ func runVirtualKubelet(cmd *cobra.Command, args []string) error {
 	log.G(ctx).Info("Cisco Virtual Kubelet stopped")
 	return nil
 }
+
+// generateSelfSignedTLS creates a self-signed ECDSA certificate for the kubelet
+// HTTPS listener on :10250. The certificate includes SANs for the device address,
+// 127.0.0.1, and localhost so that both local and remote health checks work.
+func generateSelfSignedTLS(deviceAddr string) (*tls.Config, error) {
+	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		return nil, fmt.Errorf("generate ECDSA key: %w", err)
+	}
+
+	serial, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
+	if err != nil {
+		return nil, fmt.Errorf("generate serial number: %w", err)
+	}
+
+	tmpl := &x509.Certificate{
+		SerialNumber: serial,
+		Subject: pkix.Name{
+			Organization: []string{"Cisco Virtual Kubelet"},
+			CommonName:   "cisco-virtual-kubelet",
+		},
+		NotBefore:             time.Now().Add(-time.Minute),
+		NotAfter:              time.Now().Add(10 * 365 * 24 * time.Hour), // 10 years
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+		IPAddresses:           []net.IP{net.ParseIP("127.0.0.1")},
+		DNSNames:              []string{"localhost"},
+	}
+
+	// Include the device address as a SAN if it's an IP.
+	if ip := net.ParseIP(deviceAddr); ip != nil {
+		tmpl.IPAddresses = append(tmpl.IPAddresses, ip)
+	} else if deviceAddr != "" {
+		tmpl.DNSNames = append(tmpl.DNSNames, deviceAddr)
+	}
+
+	certDER, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &key.PublicKey, key)
+	if err != nil {
+		return nil, fmt.Errorf("create certificate: %w", err)
+	}
+
+	certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER})
+
+	keyDER, err := x509.MarshalECPrivateKey(key)
+	if err != nil {
+		return nil, fmt.Errorf("marshal EC private key: %w", err)
+	}
+	keyPEM := pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: keyDER})
+
+	cert, err := tls.X509KeyPair(certPEM, keyPEM)
+	if err != nil {
+		return nil, fmt.Errorf("load key pair: %w", err)
+	}
+
+	return &tls.Config{
+		Certificates: []tls.Certificate{cert},
+		MinVersion:   tls.VersionTLS12,
+	}, nil
+}

internal/provider/provider.go

@@ -150,15 +150,7 @@ func (p *AppHostingProvider) GetPods(ctx context.Context) ([]*v1.Pod, error) {
 }
 
 func (p *AppHostingProvider) AttachToContainer(ctx context.Context, namespace, podName, containerName string, attach api.AttachIO) error {
-	// log.G(ctx).Infof("Attaching to container %s in pod %s/%s", containerName, namespace, podName)
-
-	// For Cisco IOx containers, attachment is limited
-	// We can simulate it by providing a shell prompt
-	if attach.Stdout() != nil {
-		attach.Stdout().Write([]byte("Cisco IOx container attachment not fully supported\n"))
-	}
-
-	return nil
+	return fmt.Errorf("AttachToContainer is not supported by the Cisco Virtual Kubelet")
 }
 
 // NOT YET IMPLEMENTED