edge: push-based node join via shell-operator

[samcday]

Replace the (never-implemented) cloud-init templating pathway with a push-based join: cloud-init only installs tailscale + k8s packages, and a shell-operator deployment in hub's edge ns watches edge Nodes and creates a per-Node Job that SSHes in, waits for cloud-init, runs tailscale up, and kubeadm joins. Secrets stay in Kubernetes instead of baked into the user-data BinaryLane holds.

shell-operator watches edge via the admin-kubeconfig; hook scripts act against hub in-cluster. Jobs fetch the per-node SSH password from edge kube-system at runtime using the same kubeconfig.

[samcday]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 57ff1f12f0

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Keep hook kubectl pointed at hub cluster

Setting KUBECONFIG on the shell-operator container makes the kubectl calls in hook.sh (get/create/delete job in namespace edge) target the edge cluster instead of the in-cluster hub API. This breaks reconciliation because the join Jobs (and their referenced hub-side secrets/config) are expected in hub edge, so the hook cannot reliably create/manage them and node joins stall. Configure shell-operator to watch edge without exporting KUBECONFIG into hook subprocesses, or explicitly force hook kubectl back to in-cluster context.

Useful? React with 👍 / 👎.