Fix upload-certs TLS error by passing kubeadm config

Without --config, kubeadm upload-certs auto-discovers the API server
and connects to the container's podman bridge IP instead of the VM
cluster IP, causing a certificate validation error (x509: certificate
is valid for 10.0.0.x, not 10.89.x.x).

Pass --config /etc/kubernetes/kubeadm-config.yaml so kubeadm uses the
correct controlPlaneEndpoint from the init config.

Assisted-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: alicefr

internal/cluster/join.go

@@ -152,7 +152,7 @@ func (c *Cluster) generateJoinCommand(ctx context.Context, cpSSHClient *ssh.Clie
 		// The command prints log lines to stderr and the 64-char hex key on stdout.
 		// We avoid piping (which masks the exit code) and extract the key ourselves.
 		c.logger.Info("Uploading certificates for control-plane join...")
-		certKeyOutput, err := cpSSHClient.Exec(ctx, "sudo kubeadm init phase upload-certs --upload-certs")
+		certKeyOutput, err := cpSSHClient.Exec(ctx, "sudo kubeadm init phase upload-certs --upload-certs --config /etc/kubernetes/kubeadm-config.yaml")
 		if err != nil {
 			return "", fmt.Errorf("failed to upload certificates: %w", err)
 		}