Check whether static cert is already configured in UpdateTransportConfig

- Also update test-cmd.sh to pass a signing ca to the kube controller
  manager, so CSRs work properly in integration tests.

Signed-off-by: Margo Crawford <margaretc@vmware.com>

test/cmd/authentication.sh

@@ -82,7 +82,7 @@ EOF
   fi
   # Post-condition: None
 
-  cat > "${TMPDIR:-/tmp}"/valid_exec_plugin.yaml << EOF
+  cat >"${TMPDIR:-/tmp}"/valid_exec_plugin.yaml <<EOF
 apiVersion: v1
 clusters:
 - cluster:
@@ -134,6 +134,54 @@ EOF
   fi
   # Post-condition: None
 
+  ### Provided --client-certificate/--client-key should take precedence on the cli, thus not triggering the (invalid) exec credential plugin
+  # contained in the kubeconfig.
+
+  # Use CSR to get a valid certificate
+  cat <<EOF | kubectl create -f -
+apiVersion: certificates.k8s.io/v1
+kind: CertificateSigningRequest
+metadata:
+  name: testuser
+spec:
+  request: $(base64 < hack/testdata/auth/testuser.csr | tr -d '\n')
+  signerName: kubernetes.io/kube-apiserver-client
+  usages: [client auth]
+EOF
+
+  kube::test::wait_object_assert 'csr/testuser' '{{range.status.conditions}}{{.type}}{{end}}' ''
+  kubectl certificate approve testuser
+  kube::test::wait_object_assert 'csr/testuser' '{{range.status.conditions}}{{.type}}{{end}}' 'Approved'
+  # wait for certificate to not be empty
+  kube::test::wait_object_assert 'csr/testuser' '{{.status.certificate}}' '.+'
+  kubectl get csr testuser -o jsonpath='{.status.certificate}' | base64 -d > "${TMPDIR:-/tmp}"/testuser.crt
+
+  output5=$(kubectl  "${kube_flags_without_token[@]:?}" --client-certificate="${TMPDIR:-/tmp}"/testuser.crt --client-key="hack/testdata/auth/testuser.key" --kubeconfig="${TMPDIR:-/tmp}"/invalid_exec_plugin.yaml get namespace kube-system -o name)
+  if [[ "${output5}" =~ "Unauthorized" ]]; then
+    kube::log::status "Unexpected output when providing --client-certificate/--client-key for authentication - exec credential plugin likely triggered. Output: ${output5}"
+    exit 1
+  else
+    kube::log::status "exec credential plugin not triggered since kubectl was called with provided --client-certificate/--client-key"
+  fi
+
+    ### Provided --client-certificate/--client-key should take precedence in the kubeconfig, thus not triggering the (invalid) exec credential plugin.
+  cat >"${TMPDIR:-/tmp}"/invalid_execcredential.sh <<EOF
+#!/bin/bash
+echo '{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","status":{"clientKeyData":"bad","clientCertificateData":"bad"}}'
+EOF
+  chmod +x "${TMPDIR:-/tmp}"/invalid_execcredential.sh
+
+  kubectl config set-credentials testuser --client-certificate="${TMPDIR:-/tmp}"/testuser.crt --client-key="hack/testdata/auth/testuser.key" --exec-api-version=client.authentication.k8s.io/v1beta1 --exec-command=/tmp/invalid_execcredential.sh
+  output6=$(kubectl  "${kube_flags_without_token[@]:?}" --user testuser get namespace kube-system -o name)
+  if [[ "${output6}" =~ "Unauthorized" ]]; then
+    kube::log::status "Unexpected output when kubeconfig was configured with --client-certificate/--client-key for authentication - exec credential plugin likely triggered. Output: ${output6}"
+    exit 1
+  else
+    kube::log::status "exec credential plugin not triggered since kubeconfig was configured with --client-certificate/--client-key for authentication"
+  fi
+
+  kubectl delete csr testuser
+  rm "${TMPDIR:-/tmp}"/invalid_execcredential.sh
   rm "${TMPDIR:-/tmp}"/invalid_exec_plugin.yaml
   rm "${TMPDIR:-/tmp}"/valid_exec_plugin.yaml
 
@@ -154,7 +202,7 @@ run_exec_credentials_interactive_tests_version() {
 
   kube::log::status "Testing kubectl with configured ${apiVersion} interactive exec credentials plugin"
 
-  cat > "${TMPDIR:-/tmp}"/always_interactive_exec_plugin.yaml << EOF
+  cat >"${TMPDIR:-/tmp}"/always_interactive_exec_plugin.yaml <<EOF
 apiVersion: v1
 clusters:
 - cluster:
@@ -227,7 +275,7 @@ EOF
   fi
   # Post-condition: None
 
-  cat > "${TMPDIR:-/tmp}"/missing_interactive_exec_plugin.yaml << EOF
+  cat >"${TMPDIR:-/tmp}"/missing_interactive_exec_plugin.yaml <<EOF
 apiVersion: v1
 clusters:
 - cluster: