Move more into kubeconfig file

k8s-install/scripts/install-cni.sh

@@ -29,7 +29,7 @@ if [ "$(ls ${SECRETS_MOUNT_DIR} 3>/dev/null)" ];
 then
 	echo "Installing any TLS assets from ${SECRETS_MOUNT_DIR}"
 	mkdir -p /host/etc/cni/net.d/calico-tls
-	cp ${SECRETS_MOUNT_DIR}/* /host/etc/cni/net.d/calico-tls/
+	cp -p ${SECRETS_MOUNT_DIR}/* /host/etc/cni/net.d/calico-tls/
 fi
 
 # If the TLS assets actually exist, update the variables to populate into the
@@ -96,20 +96,28 @@ ${CNI_NETWORK_CONFIG:-}
 EOF
 fi
 
+# Pull out service account token.
+SERVICEACCOUNT_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
+
 # Write a kubeconfig file for the CNI plugin.  Do this
 # to skip TLS verification for now.  We should eventually support
 # writing more complete kubeconfig files. This is only used
 # if the provided CNI network config references it.
+touch /host/etc/cni/net.d/calico-kubeconfig
+chmod ${KUBECONFIG_PERMISSIONS:-0600} /host/etc/cni/net.d/calico-kubeconfig
 cat > /host/etc/cni/net.d/calico-kubeconfig <<EOF
 # Kubeconfig file for Calico CNI plugin.
 apiVersion: v1
 kind: Config
 clusters:
 - name: local
   cluster:
+    server: https://${KUBERNETES_SERVICE_HOST:-}:${KUBERNETES_SERVICE_PORT:-} 
     insecure-skip-tls-verify: true
 users:
 - name: calico
+  user:
+    token: "${SERVICEACCOUNT_TOKEN}" 
 contexts:
 - name: calico-context
   context:
@@ -119,7 +127,6 @@ current-context: calico-context
 EOF
 
 # Insert any of the supported "auto" parameters.
-SERVICEACCOUNT_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
 grep "__KUBERNETES_SERVICE_HOST__" $TMP_CONF && sed -i s/__KUBERNETES_SERVICE_HOST__/${KUBERNETES_SERVICE_HOST}/g $TMP_CONF
 grep "__KUBERNETES_SERVICE_PORT__" $TMP_CONF && sed -i s/__KUBERNETES_SERVICE_PORT__/${KUBERNETES_SERVICE_PORT}/g $TMP_CONF
 sed -i s/__KUBERNETES_NODE_NAME__/${KUBERNETES_NODE_NAME:-$(hostname)}/g $TMP_CONF