Function build_kubeconfig_yaml 

pub fn build_kubeconfig_yaml(
    cluster_name: &str,
    server: &str,
    ca_data_b64: Option<&str>,
    sa_name: &str,
    token: &str,
    allow_insecure: bool,
) -> Result<String>

Build a kubeconfig YAML string for the given service account token.

When ca_data_b64 is Some(...) the CA data is embedded and TLS verification is enforced. When ca_data_b64 is None the function refuses to produce output unless allow_insecure is true; in that case it sets insecure-skip-tls-verify: true on the cluster entry.

Refusing insecure output by default prevents a bootstrap run against a KUBECONFIG that lacks CA data from silently distributing kubeconfigs that skip TLS verification (MITM risk against the child-cluster scout).

Arguments

• cluster_name - Name of the cluster entry in the kubeconfig
• server - Kubernetes API server URL (e.g. https://192.0.2.1:6443)
• ca_data_b64 - Base64-encoded PEM CA certificate, or None to skip TLS verify
• sa_name - Name of the service account / kubeconfig user entry
• token - Bearer token for the service account
• allow_insecure - Must be true to allow emitting insecure-skip-tls-verify when ca_data_b64 is None. Intended to be wired to an explicit CLI opt-out flag (e.g. --insecure-skip-tls-verify).

Errors

• Returns an error if ca_data_b64 is None and allow_insecure is false.
• Returns an error if YAML serialization fails.