From 364dd1a752855c6f647086299bebb0ec6d4fad08 Mon Sep 17 00:00:00 2001
From: Davanum Srinivas <davanum@gmail.com>
Date: Tue, 20 Sep 2016 18:13:25 -0400
Subject: [PATCH] New command line flag - Set CA file for apiserver in-process
 client

---
 hack/verify-flags/known-flags.txt                  |  1 +
 pkg/genericapiserver/options/server_run_options.go | 14 +++++++++++---
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/hack/verify-flags/known-flags.txt b/hack/verify-flags/known-flags.txt
index cdd3c5bf226..31e38989005 100644
--- a/hack/verify-flags/known-flags.txt
+++ b/hack/verify-flags/known-flags.txt
@@ -504,6 +504,7 @@ tcp-services
 terminated-pod-gc-threshold
 test-flags
 test-timeout
+tls-ca-file
 tls-cert-file
 tls-private-key-file
 to-version
diff --git a/pkg/genericapiserver/options/server_run_options.go b/pkg/genericapiserver/options/server_run_options.go
index 02692584124..2f2c59559be 100644
--- a/pkg/genericapiserver/options/server_run_options.go
+++ b/pkg/genericapiserver/options/server_run_options.go
@@ -17,6 +17,7 @@ limitations under the License.
 package options
 
 import (
+	"errors"
 	"net"
 	"strconv"
 	"strings"
@@ -114,6 +115,7 @@ type ServerRunOptions struct {
 	// for testing). This is not actually exposed as a flag.
 	DefaultStorageVersions string
 	TargetRAMMB            int
+	TLSCAFile              string
 	TLSCertFile            string
 	TLSPrivateKeyFile      string
 	TokenAuthFile          string
@@ -213,12 +215,14 @@ func (s *ServerRunOptions) NewSelfClient(token string) (clientset.Interface, err
 		QPS:   50,
 		Burst: 100,
 	}
-	if s.SecurePort > 0 {
+	if s.SecurePort > 0 && len(s.TLSCAFile) > 0 {
 		clientConfig.Host = "https://" + net.JoinHostPort(s.BindAddress.String(), strconv.Itoa(s.SecurePort))
-		clientConfig.Insecure = true
+		clientConfig.CAFile = s.TLSCAFile
 		clientConfig.BearerToken = token
-	} else {
+	} else if s.InsecurePort > 0 {
 		clientConfig.Host = net.JoinHostPort(s.InsecureBindAddress.String(), strconv.Itoa(s.InsecurePort))
+	} else {
+		return nil, errors.New("Unable to set url for apiserver local client")
 	}
 
 	return clientset.NewForConfig(clientConfig)
@@ -445,6 +449,10 @@ func (s *ServerRunOptions) AddUniversalFlags(fs *pflag.FlagSet) {
 		"It defaults to a list of preferred versions of all registered groups, "+
 		"which is derived from the KUBE_API_VERSIONS environment variable.")
 
+	fs.StringVar(&s.TLSCAFile, "tls-ca-file", s.TLSCAFile, "If set, this "+
+		"certificate authority will used for secure access from Admission "+
+		"Controllers. This must be a valid PEM-encoded CA bundle.")
+
 	fs.StringVar(&s.TLSCertFile, "tls-cert-file", s.TLSCertFile, ""+
 		"File containing x509 Certificate for HTTPS. (CA cert, if any, concatenated "+
 		"after server cert). If HTTPS serving is enabled, and --tls-cert-file and "+