Use API internal name as TLS server name in kubeconfig

pkg/kubeconfig/create_kubecfg.go

@@ -85,6 +85,7 @@ func BuildKubecfg(ctx context.Context, cluster *kops.Cluster, keyStore fi.Keysto
 
 	b.Context = clusterName
 	b.Server = server
+	b.TLSServerName = cluster.APIInternalName()
 
 	// add the CA Cert to the kubeconfig only if we didn't specify a certificate for the LB
 	//  or if we're using admin credentials and the secondary port

pkg/kubeconfig/create_kubecfg_test.go

@@ -193,6 +193,7 @@ func TestBuildKubecfg(t *testing.T) {
 			want: &KubeconfigBuilder{
 				Context:       "testcluster",
 				Server:        "https://testcluster.test.com",
+				TLSServerName: "api.internal.testcluster",
 				CACerts:       []byte(nextCertificate + certData),
 				User:          "testcluster",
 			},
@@ -208,6 +209,7 @@ func TestBuildKubecfg(t *testing.T) {
 			want: &KubeconfigBuilder{
 				Context:       "testcluster",
 				Server:        "https://elbHostName:8443",
+				TLSServerName: "api.internal.testcluster",
 				CACerts:       []byte(nextCertificate + certData),
 				User:          "testcluster",
 			},
@@ -223,6 +225,7 @@ func TestBuildKubecfg(t *testing.T) {
 			want: &KubeconfigBuilder{
 				Context:       "testcluster",
 				Server:        "https://elbHostName",
+				TLSServerName: "api.internal.testcluster",
 				CACerts:       nil,
 				User:          "testcluster",
 			},
@@ -238,6 +241,7 @@ func TestBuildKubecfg(t *testing.T) {
 			want: &KubeconfigBuilder{
 				Context:       "testcluster",
 				Server:        "https://testcluster.test.com",
+				TLSServerName: "api.internal.testcluster",
 				CACerts:       []byte(nextCertificate + certData),
 				User:          "testcluster",
 			},
@@ -254,6 +258,7 @@ func TestBuildKubecfg(t *testing.T) {
 			want: &KubeconfigBuilder{
 				Context:       "testcluster",
 				Server:        "https://testcluster.test.com",
+				TLSServerName: "api.internal.testcluster",
 				CACerts:       []byte(nextCertificate + certData),
 				User:          "myuser",
 			},
@@ -270,6 +275,7 @@ func TestBuildKubecfg(t *testing.T) {
 			want: &KubeconfigBuilder{
 				Context:       "emptyMasterPublicNameCluster",
 				Server:        "https://api.emptyMasterPublicNameCluster",
+				TLSServerName: "api.internal.emptyMasterPublicNameCluster",
 				CACerts:       []byte(nextCertificate + certData),
 				User:          "emptyMasterPublicNameCluster",
 			},
@@ -284,6 +290,7 @@ func TestBuildKubecfg(t *testing.T) {
 			want: &KubeconfigBuilder{
 				Context:       "testgossipcluster.k8s.local",
 				Server:        "https://elbHostName",
+				TLSServerName: "api.internal.testgossipcluster.k8s.local",
 				CACerts:       []byte(nextCertificate + certData),
 				User:          "testgossipcluster.k8s.local",
 			},
@@ -300,6 +307,7 @@ func TestBuildKubecfg(t *testing.T) {
 			want: &KubeconfigBuilder{
 				Context:       "testcluster",
 				Server:        "https://testcluster.test.com",
+				TLSServerName: "api.internal.testcluster",
 				CACerts:       []byte(nextCertificate + certData),
 				User:          "testcluster",
 				AuthenticationExec: []string{
@@ -323,6 +331,7 @@ func TestBuildKubecfg(t *testing.T) {
 			want: &KubeconfigBuilder{
 				Context:       "testcluster",
 				Server:        "https://api.internal.testcluster",
+				TLSServerName: "api.internal.testcluster",
 				CACerts:       []byte(nextCertificate + certData),
 				User:          "testcluster",
 			},
@@ -338,6 +347,7 @@ func TestBuildKubecfg(t *testing.T) {
 			want: &KubeconfigBuilder{
 				Context:       "testgossipcluster.k8s.local",
 				Server:        "https://elbHostName:8443",
+				TLSServerName: "api.internal.testgossipcluster.k8s.local",
 				CACerts:       []byte(nextCertificate + certData),
 				User:          "testgossipcluster.k8s.local",
 			},
@@ -354,6 +364,7 @@ func TestBuildKubecfg(t *testing.T) {
 			want: &KubeconfigBuilder{
 				Context:       "testcluster",
 				Server:        "https://api.internal.testcluster",
+				TLSServerName: "api.internal.testcluster",
 				CACerts:       []byte(nextCertificate + certData),
 				User:          "testcluster",
 			},
@@ -370,6 +381,7 @@ func TestBuildKubecfg(t *testing.T) {
 			want: &KubeconfigBuilder{
 				Context:       "testcluster",
 				Server:        "https://api.internal.testcluster",
+				TLSServerName: "api.internal.testcluster",
 				CACerts:       []byte(nextCertificate + certData),
 				User:          "testcluster",
 			},

pkg/kubeconfig/kubecfg_builder.go

@@ -19,7 +19,6 @@ package kubeconfig
 import (
 	"fmt"
 
-	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
 	"k8s.io/klog/v2"
@@ -29,6 +28,7 @@ import (
 // This logic previously lives in the bash scripts (create-kubeconfig in cluster/common.sh)
 type KubeconfigBuilder struct {
 	Server        string
+	TLSServerName string
 
 	Context   string
 	Namespace string
@@ -77,20 +77,6 @@ func (b *KubeconfigBuilder) DeleteKubeConfig(configAccess clientcmd.ConfigAccess
 	return nil
 }
 
-// Create new Rest Client
-func (c *KubeconfigBuilder) BuildRestConfig() (*rest.Config, error) {
-	restConfig := &rest.Config{
-		Host: c.Server,
-	}
-	restConfig.CAData = c.CACerts
-	restConfig.CertData = c.ClientCert
-	restConfig.KeyData = c.ClientKey
-	restConfig.Username = c.KubeUser
-	restConfig.Password = c.KubePassword
-
-	return restConfig, nil
-}
-
 // Write out a new kubeconfig
 func (b *KubeconfigBuilder) WriteKubecfg(configAccess clientcmd.ConfigAccess) error {
 	config, err := configAccess.GetStartingConfig()
@@ -108,6 +94,7 @@ func (b *KubeconfigBuilder) WriteKubecfg(configAccess clientcmd.ConfigAccess) er
 			cluster = clientcmdapi.NewCluster()
 		}
 		cluster.Server = b.Server
+		cluster.TLSServerName = b.TLSServerName
 		cluster.CertificateAuthorityData = b.CACerts
 
 		if config.Clusters == nil {