use the appropriate token file for in-cluster only.

kubernetes/client.go

@@ -130,12 +130,7 @@ func getConfigForLocalCluster() (*rest.Config, error) {
 	remoteSecretPath := kialiconfig.Get().Deployment.RemoteSecretPath
 	if remoteSecret, readErr := GetRemoteSecret(remoteSecretPath); readErr == nil {
 		log.Debugf("Using remote secret for local cluster config found at: [%s]. Kiali must be running outside the kube cluster.", remoteSecretPath)
-		cc, err := clientcmd.NewDefaultClientConfig(*remoteSecret, nil).ClientConfig()
-		if err != nil {
-			return cc, err
-		}
-		cc.BearerTokenFile = remoteSecretPath
-		return cc, nil
+		return clientcmd.NewDefaultClientConfig(*remoteSecret, nil).ClientConfig()
 	} else {
 		log.Debugf("Unable to read remote secret. It may or may not exist. Error: %v. Falling back to in cluster config", readErr)
 		// Fallback to in cluster config

kubernetes/client_factory.go

@@ -440,9 +440,6 @@ func (cf *clientFactory) getConfig(clusterInfo *RemoteClusterInfo) (*rest.Config
 			return nil, err
 		}
 
-		// Set the token file so the underlying client can refresh it when needed.
-		remoteConfig.BearerTokenFile = clusterInfo.SecretFile
-
 		// Use the remote config entirely for remote clusters.
 		clientConfig = *remoteConfig
 	} else {

kubernetes/client_factory_test.go

@@ -373,7 +373,7 @@ func setGlobalKialiSAToken(t *testing.T) {
 
 	// reuse the "create a test remote cluster secret file" function, but for this test it is really representing our home cluster SA token
 	saTokenDir := t.TempDir()
-	saTokenFile := createTestRemoteClusterSecretFile(t, saTokenDir, "saSecret", saTokenYAML)
+	createTestRemoteClusterSecretFile(t, saTokenDir, "saSecret", saTokenYAML)
 
 	originalToken := KialiTokenForHomeCluster
 	originalTokenFile := KialiTokenFileForHomeCluster
@@ -384,7 +384,7 @@ func setGlobalKialiSAToken(t *testing.T) {
 	})
 
 	KialiTokenForHomeCluster = "test-token" // as defined in testdata/sa-token.yaml
-	KialiTokenFileForHomeCluster = saTokenFile
+	KialiTokenFileForHomeCluster = ""
 	tokenRead = time.Now()
 }
 

kubernetes/cluster_secret_test.go

@@ -14,7 +14,7 @@ func TestReloadRemoteClusterSecret(t *testing.T) {
 
 	const testClusterName = "TestRemoteCluster"
 
-	remoteSecretFilename := createTestRemoteClusterSecret(t, testClusterName, remoteClusterYAML)
+	createTestRemoteClusterSecret(t, testClusterName, remoteClusterYAML)
 
 	clientFactory := NewTestingClientFactory(t)
 
@@ -38,6 +38,6 @@ func TestReloadRemoteClusterSecret(t *testing.T) {
 	testRCI := rcis[testClusterName]
 	restConfig, err = clientFactory.getConfig(&testRCI)
 	check.Nil(err)
-	check.Equal(remoteSecretFilename, restConfig.BearerTokenFile, "BearerTokenFile should always be set to the remote cluster secret file")
+	check.Equal("", restConfig.BearerTokenFile, "BearerTokenFile is never set")
 	check.Equal("token", restConfig.BearerToken, "BearerToken should be set to the value in the remote cluster yaml")
 }

kubernetes/token.go

@@ -27,7 +27,7 @@ func GetKialiTokenForHomeCluster() (string, string, error) {
 			currentContextAuthInfo := remoteSecret.Contexts[remoteSecret.CurrentContext].AuthInfo
 			if authInfo, ok := remoteSecret.AuthInfos[currentContextAuthInfo]; ok {
 				KialiTokenForHomeCluster = authInfo.Token
-				KialiTokenFileForHomeCluster = config.Get().Deployment.RemoteSecretPath
+				KialiTokenFileForHomeCluster = authInfo.TokenFile
 			} else {
 				return "", "", fmt.Errorf("auth info not found for current context: [%s]. Current context must be set for kiali remote secret", remoteSecret.CurrentContext)
 			}