only lookup token if we don't have client certs for both

see #3221 for idea

utils/kubernetes/kubeutil.py

@@ -153,10 +153,6 @@ def _init_tls_settings(self, instance):
         if apiserver_cacert and os.path.exists(apiserver_cacert):
             tls_settings['apiserver_cacert'] = apiserver_cacert
 
-        token = self.get_auth_token(instance)
-        if token:
-            tls_settings['bearer_token'] = token
-
         # kubelet
         kubelet_client_crt = instance.get('kubelet_client_crt')
         kubelet_client_key = instance.get('kubelet_client_key')
@@ -169,6 +165,12 @@ def _init_tls_settings(self, instance):
         else:
             tls_settings['kubelet_verify'] = instance.get('kubelet_tls_verify', DEFAULT_TLS_VERIFY)
 
+        if ('apiserver_client_cert' not in tls_settings) or ('kubelet_client_cert' not in tls_settings):
+            # Only lookup token if we don't have client certs for both
+            token = self.get_auth_token(instance)
+            if token:
+                tls_settings['bearer_token'] = token
+
         return tls_settings
 
     def _locate_kubelet(self, instance):