Merge pull request #47443 from p0lyn0mial/use_incluster_cfg_when_creating_ext_informers

Automatic merge from submit-queue (batch tested with PRs 48012, 47443, 47702, 47178)

incluster config will be used when creating external shared informers.

**What this PR does / why we need it**:
Previously the loopback configuration was used to talk to the server.
As a consequence a custom API server was unable to talk to the root API server.
This PR changes the above by using incluster configuration to create shared informers.

**Release note**:

```release-note
NONE
```

cmd/kube-apiserver/app/server.go

@@ -593,6 +593,8 @@ func defaultOptions(s *options.ServerRunOptions) error {
 	if err != nil {
 		return fmt.Errorf("error determining service IP ranges: %v", err)
 	}
+	s.SecureServing.ForceLoopbackConfigUsage()
+
 	if err := s.SecureServing.MaybeDefaultWithSelfSignedCerts(s.GenericServerRunOptions.AdvertiseAddress.String(), []string{"kubernetes.default.svc", "kubernetes.default", "kubernetes"}, []net.IP{apiServerServiceIP}); err != nil {
 		return fmt.Errorf("error creating self-signed certificates: %v", err)
 	}

federation/cmd/federation-apiserver/app/server.go

@@ -102,6 +102,7 @@ func NonBlockingRun(s *options.ServerRunOptions, stopCh <-chan struct{}) error {
 	if err := s.CloudProvider.DefaultExternalHost(s.GenericServerRunOptions); err != nil {
 		return fmt.Errorf("error setting the external host value: %v", err)
 	}
+	s.SecureServing.ForceLoopbackConfigUsage()
 
 	s.Authentication.ApplyAuthorization(s.Authorization)
 

staging/src/k8s.io/apiserver/pkg/server/options/serving.go

@@ -24,6 +24,7 @@ import (
 	"net"
 	"path"
 	"strconv"
+	"time"
 
 	"github.com/golang/glog"
 	"github.com/pborman/uuid"
@@ -34,6 +35,7 @@ import (
 	utilflag "k8s.io/apiserver/pkg/util/flag"
 	"k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
 	certutil "k8s.io/client-go/util/cert"
 )
 
@@ -45,6 +47,9 @@ type SecureServingOptions struct {
 	ServerCert GeneratableKeyCert
 	// SNICertKeys are named CertKeys for serving secure traffic with SNI support.
 	SNICertKeys []utilflag.NamedCertKey
+
+	// when set determines whether to use loopback configuration to create shared informers.
+	useLoopbackCfg bool
 }
 
 type CertKey struct {
@@ -136,6 +141,7 @@ func (s *SecureServingOptions) AddDeprecatedFlags(fs *pflag.FlagSet) {
 	fs.MarkDeprecated("public-address-override", "see --bind-address instead.")
 }
 
+// ApplyTo fills up serving information in the server configuration.
 func (s *SecureServingOptions) ApplyTo(c *server.Config) error {
 	if s.BindPort <= 0 {
 		return nil
@@ -169,16 +175,39 @@ func (s *SecureServingOptions) ApplyTo(c *server.Config) error {
 		c.SecureServingInfo.SNICerts[server.LoopbackClientServerNameOverride] = &tlsCert
 	}
 
-	// create shared informers
-	clientset, err := kubernetes.NewForConfig(c.LoopbackClientConfig)
-	if err != nil {
-		return err
+	// create shared informers, if not explicitly set use in cluster config.
+	// do not fail on an error, this allows an external API server to startup
+	// outside of a kube cluster.
+	var clientCfg *rest.Config
+	err = nil
+	if s.useLoopbackCfg {
+		clientCfg = c.LoopbackClientConfig
+	} else {
+		clientCfg, err = rest.InClusterConfig()
 	}
-	c.SharedInformerFactory = informers.NewSharedInformerFactory(clientset, c.LoopbackClientConfig.Timeout)
-
+	if err != nil {
+		glog.Errorf("Couldn't create in cluster config due to %v. SharedInformerFactory will not be set.", err)
+		return nil
+	}
+	clientset, err := kubernetes.NewForConfig(clientCfg)
+	if err != nil {
+		glog.Errorf("Couldn't create clientset due to %v. SharedInformerFactory will not be set.", err)
+		return nil
+	}
+	c.SharedInformerFactory = informers.NewSharedInformerFactory(clientset, 10*time.Minute)
 	return nil
 }
 
+// ForceLoopbackConfigUsage forces the usage of the loopback configuration
+// to create SharedInformerFactory. The primary client of this method
+// is kube API server, no other API server is the source of truth for kube APIs.
+//
+// Note:
+// this method MUST be called prior to ApplyTo to take an effect.
+func (s *SecureServingOptions) ForceLoopbackConfigUsage() {
+	s.useLoopbackCfg = true
+}
+
 func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error {
 	if s.BindPort <= 0 {
 		return nil