use the extraClientCA as it was intended

deads2k · deads2k · commit f40bb8af273c · 2017-03-02T16:13:14.000-05:00
diff --git a/pkg/cmd/server/api/helpers.go b/pkg/cmd/server/api/helpers.go
@@ -241,6 +241,10 @@ func GetMasterFileReferences(config *MasterConfig) []*string {
 		refs = append(refs, &config.KubernetesMasterConfig.ProxyClientInfo.KeyFile)
 	}
 
+	if config.AuthConfig.RequestHeader != nil {
+		refs = append(refs, &config.AuthConfig.RequestHeader.ClientCA)
+	}
+
 	refs = append(refs, &config.ServiceAccountConfig.MasterCA)
 	refs = append(refs, &config.ServiceAccountConfig.PrivateKeyFile)
 	for i := range config.ServiceAccountConfig.PublicKeyFiles {
@@ -457,6 +461,21 @@ func GetOAuthClientCertCAs(options MasterConfig) ([]*x509.Certificate, error) {
 	return allCerts, nil
 }
 
+func GetRequestHeaderClientCertCAs(options MasterConfig) ([]*x509.Certificate, error) {
+	if !UseTLS(options.ServingInfo.ServingInfo) {
+		return nil, nil
+	}
+	if options.AuthConfig.RequestHeader == nil {
+		return nil, nil
+	}
+
+	certs, err := cmdutil.CertificatesFromFile(options.AuthConfig.RequestHeader.ClientCA)
+	if err != nil {
+		return nil, fmt.Errorf("Error reading %s: %s", options.AuthConfig.RequestHeader.ClientCA, err)
+	}
+	return certs, nil
+}
+
 func getAPIClientCertCAs(options MasterConfig) ([]*x509.Certificate, error) {
 	if !UseTLS(options.ServingInfo.ServingInfo) {
 		return nil, nil
diff --git a/pkg/cmd/server/kubernetes/master_config.go b/pkg/cmd/server/kubernetes/master_config.go
@@ -114,16 +114,6 @@ func BuildDefaultAPIServer(options configapi.MasterConfig) (*apiserveroptions.Se
 	server.GenericServerRunOptions.TLSPrivateKeyFile = options.ServingInfo.ServerCert.KeyFile
 	server.GenericServerRunOptions.ClientCAFile = options.ServingInfo.ClientCA
 
-	// TODO this is a terrible hack that should be removed in 1.6
-	if options.AuthConfig.RequestHeader != nil {
-		clientCAFile, err := concatenateFiles("cafrontproxybundle", "\n", options.ServingInfo.ClientCA, options.AuthConfig.RequestHeader.ClientCA)
-		if err != nil {
-			return nil, nil, fmt.Errorf("unable to create ca bundle temp file: %v", err)
-		}
-		glog.V(2).Infof("temp clientCA bundle file is %s", clientCAFile)
-		server.GenericServerRunOptions.ClientCAFile = clientCAFile
-	}
-
 	server.GenericServerRunOptions.MaxRequestsInFlight = options.ServingInfo.MaxRequestsInFlight
 	server.GenericServerRunOptions.MinRequestTimeout = options.ServingInfo.RequestTimeoutSeconds
 	for _, nc := range options.ServingInfo.NamedCertificates {
@@ -317,6 +307,14 @@ func BuildKubernetesMasterConfig(options configapi.MasterConfig, requestContextM
 	for _, cert := range oAuthClientCertCAs {
 		genericConfig.SecureServingInfo.ClientCA.AddCert(cert)
 	}
+	requestHeaderCACerts, err := configapi.GetRequestHeaderClientCertCAs(options)
+	if err != nil {
+		glog.Fatalf("Error setting up request header client certificates: %v", err)
+	}
+	for _, cert := range requestHeaderCACerts {
+		genericConfig.SecureServingInfo.ClientCA.AddCert(cert)
+	}
+
 	url, err := url.Parse(options.MasterPublicURL)
 	if err != nil {
 		glog.Fatalf("Error parsing master public url %q: %v", options.MasterPublicURL, err)
