Fix local password validation when bind-address is set

[brandond]

Proposed Changes

Following a review from the security team, #11471 added a check to only allow node-password validation for the local node to be bypassed during startup if the request came from the loopback address. However, if bind-address is set, then the local agent will use the specified address instead of the loopback address when bootstrapping. This causes cert requests from the local agent to fail until the apiserver is up.

This is mostly fine here in k3s, it just makes the server start up a bit slower - but it breaks use of bind-address on RKE2 because the apiserver cannot come up until the agent (kubelet) is up.

Types of Changes

bugfix

Verification

• go test
• will add e2e in rke2 as well

Testing

Yes

Linked Issues

• Improve test coverage of supervisor HTTP API #11477
• https://github.com/rancher/security-team/issues/1097

User-Facing Change

Further Comments

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 47.77%. Comparing base (646e313) to head (d3c634c).
Report is 1 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #11607      +/-   ##
==========================================
- Coverage   50.04%   47.77%   -2.28%     
==========================================
  Files         185      185              
  Lines       19265    19265              
==========================================
- Hits         9641     9203     -438     
- Misses       8236     8732     +496     
+ Partials     1388     1330      -58     

Flag	Coverage Δ
e2etests	40.53% <100.00%> (-3.76%)	⬇️
inttests	35.12% <100.00%> (-0.02%)	⬇️
unittests	17.04% <100.00%> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.