Add `get-client-certificate` and `get-client-token` functions to `incus remote`

[stgraber]

Is there an existing issue for this?

• [x] There is no existing issue for this feature

What are you currently unable to do

It's occasionally useful to be able to get the client certificate in order to send it to a remote server for trusting. So far we've had users directly look ~/.config/incus/client.crt, but having a dedicated command would be quite convenient, especially as it can internally kick in a certificate generation if one doesn't already exist.

Additionally, adding another command to get a client token (derived from the client certificate) would also be quite useful and would allow us to discontinue the current tls2jwt test tool in favor of a supported command.

What do you think would need to be added

No response

[kevans1124]

Hello, I am a UT student working with a partner doing open source contributions for class credit, can my group be assigned this issue please? Thank you!

[stgraber]

done!

[stoven2k17]

Hi! I’ve reviewed how tls2jwt.go works, i think it generates a JWT on demand using github.com/golang-jwt/jwt/v5, signed with the client certificate’s private key if my interpretation is right. This seems to align with the goal of the get-client-token command.

In tls2jwt.go, the jwt/v5 import is used freely, but that file is in the test/tools directory. What’s the correct way to use the same library in cmd/incus/remote.go? Should I import jwt/v5 directly like in the tool, or is there a preferred internal mechanism I should use instead?

[stgraber]

Yep, you can import that one directly, that's fine.

It's already a dependency of Incus in general, both through the testing tool and through the server side logic.