move client-ca to authentication args

cmd/kube-apiserver/app/server.go

@@ -219,7 +219,7 @@ func Run(s *options.ServerRunOptions) error {
 		}
 	}
 
-	authenticatorConfig := s.Authentication.ToAuthenticationConfig(s.SecureServing.ClientCA)
+	authenticatorConfig := s.Authentication.ToAuthenticationConfig()
 	if s.Authentication.ServiceAccounts.Lookup {
 		// If we need to look up service accounts and tokens,
 		// go directly to etcd to avoid recursive auth insanity

federation/cmd/federation-apiserver/app/server.go

@@ -126,7 +126,7 @@ func Run(s *options.ServerRunOptions) error {
 		storageFactory.SetEtcdLocation(groupResource, servers)
 	}
 
-	apiAuthenticator, securityDefinitions, err := authenticator.New(s.Authentication.ToAuthenticationConfig(s.SecureServing.ClientCA))
+	apiAuthenticator, securityDefinitions, err := authenticator.New(s.Authentication.ToAuthenticationConfig())
 	if err != nil {
 		glog.Fatalf("Invalid Authentication Config: %v", err)
 	}

pkg/genericapiserver/config.go

@@ -232,7 +232,6 @@ func (c *Config) ApplySecureServingOptions(secureServing *options.SecureServingO
 		ServingInfo: ServingInfo{
 			BindAddress: net.JoinHostPort(secureServing.ServingOptions.BindAddress.String(), strconv.Itoa(secureServing.ServingOptions.BindPort)),
 		},
-		ClientCA: secureServing.ClientCA,
 	}
 
 	serverCertFile, serverKeyFile := secureServing.ServerCert.CertKey.CertFile, secureServing.ServerCert.CertKey.KeyFile
@@ -305,6 +304,10 @@ func (c *Config) ApplyAuthenticationOptions(o *options.BuiltInAuthenticationOpti
 		return c
 	}
 
+	if o.ClientCert != nil && c.SecureServingInfo != nil {
+		c.SecureServingInfo.ClientCA = o.ClientCert.ClientCA
+	}
+
 	c.SupportsBasicAuth = len(o.PasswordFile.BasicAuthFile) > 0
 	return c
 }

pkg/genericapiserver/options/authentication.go

@@ -29,6 +29,7 @@ import (
 type BuiltInAuthenticationOptions struct {
 	Anonymous       *AnonymousAuthenticationOptions
 	AnyToken        *AnyTokenAuthenticationOptions
+	ClientCert      *ClientCertAuthenticationOptions
 	Keystone        *KeystoneAuthenticationOptions
 	OIDC            *OIDCAuthenticationOptions
 	PasswordFile    *PasswordFileAuthenticationOptions
@@ -85,6 +86,7 @@ func (s *BuiltInAuthenticationOptions) WithAll() *BuiltInAuthenticationOptions {
 	return s.
 		WithAnyonymous().
 		WithAnyToken().
+		WithClientCert().
 		WithKeystone().
 		WithOIDC().
 		WithPasswordFile().
@@ -104,6 +106,11 @@ func (s *BuiltInAuthenticationOptions) WithAnyToken() *BuiltInAuthenticationOpti
 	return s
 }
 
+func (s *BuiltInAuthenticationOptions) WithClientCert() *BuiltInAuthenticationOptions {
+	s.ClientCert = &ClientCertAuthenticationOptions{}
+	return s
+}
+
 func (s *BuiltInAuthenticationOptions) WithKeystone() *BuiltInAuthenticationOptions {
 	s.Keystone = &KeystoneAuthenticationOptions{}
 	return s
@@ -161,6 +168,10 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
 
 	}
 
+	if s.ClientCert != nil {
+		s.ClientCert.AddFlags(fs)
+	}
+
 	if s.Keystone != nil {
 		fs.StringVar(&s.Keystone.URL, "experimental-keystone-url", s.Keystone.URL,
 			"If passed, activates the keystone authentication plugin.")
@@ -229,10 +240,9 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
 	}
 }
 
-func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig(clientCAFile string) authenticator.AuthenticatorConfig {
-	ret := authenticator.AuthenticatorConfig{
-		ClientCAFile: clientCAFile,
-	}
+func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig() authenticator.AuthenticatorConfig {
+	ret := authenticator.AuthenticatorConfig{}
+
 	if s.Anonymous != nil {
 		ret.Anonymous = s.Anonymous.Allow
 	}
@@ -241,6 +251,10 @@ func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig(clientCAFile strin
 		ret.AnyToken = s.AnyToken.Allow
 	}
 
+	if s.ClientCert != nil {
+		ret.ClientCAFile = s.ClientCert.ClientCA
+	}
+
 	if s.Keystone != nil {
 		ret.KeystoneURL = s.Keystone.URL
 		ret.KeystoneCAFile = s.Keystone.CAFile
@@ -323,6 +337,18 @@ func (s *RequestHeaderAuthenticationOptions) ToAuthenticationRequestHeaderConfig
 	}
 }
 
+type ClientCertAuthenticationOptions struct {
+	// ClientCA is the certificate bundle for all the signers that you'll recognize for incoming client certificates
+	ClientCA string
+}
+
+func (s *ClientCertAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
+	fs.StringVar(&s.ClientCA, "client-ca-file", s.ClientCA, ""+
+		"If set, any request presenting a client certificate signed by one of "+
+		"the authorities in the client-ca-file is authenticated with an identity "+
+		"corresponding to the CommonName of the client certificate.")
+}
+
 // DelegatingAuthenticationOptions provides an easy way for composing API servers to delegate their authentication to
 // the root kube API server
 type DelegatingAuthenticationOptions struct {

pkg/genericapiserver/options/serving.go

@@ -41,8 +41,6 @@ type SecureServingOptions struct {
 	ServerCert GeneratableKeyCert
 	// SNICertKeys are named CertKeys for serving secure traffic with SNI support.
 	SNICertKeys []config.NamedCertKey
-	// ClientCA is the certificate bundle for all the signers that you'll recognize for incoming client certificates
-	ClientCA string
 }
 
 type CertKey struct {
@@ -124,11 +122,6 @@ func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) {
 		"trump over extracted names. For multiple key/certificate pairs, use the "+
 		"--tls-sni-cert-key multiple times. "+
 		"Examples: \"example.key,example.crt\" or \"*.foo.com,foo.com:foo.key,foo.crt\".")
-
-	fs.StringVar(&s.ClientCA, "client-ca-file", s.ClientCA, ""+
-		"If set, any request presenting a client certificate signed by one of "+
-		"the authorities in the client-ca-file is authenticated with an identity "+
-		"corresponding to the CommonName of the client certificate.")
 }
 
 func (s *SecureServingOptions) AddDeprecatedFlags(fs *pflag.FlagSet) {