apiserver: make SecureServingOptions and authz/n options re-usable

Kubernetes-commit: 4e0114b0dd3701b68c02d038edcf4fbe84515a68

pkg/server/config.go

@@ -79,14 +79,19 @@ const (
 // Config is a structure used to configure a GenericAPIServer.
 // Its members are sorted roughly in order of importance for composers.
 type Config struct {
-	// SecureServingInfo is required to serve https
+	// SecureServing is required to serve https
-	SecureServingInfo *SecureServingInfo
+	SecureServing *SecureServingInfo
+
+	// Authentication is the configuration for authentication
+	Authentication AuthenticationInfo
+
+	// Authentication is the configuration for authentication
+	Authorization AuthorizationInfo
 
 	// LoopbackClientConfig is a config for a privileged loopback connection to the API server
 	// This is required for proper functioning of the PostStartHooks on a GenericAPIServer
+	// TODO: move into SecureServing(WithLoopback) as soon as insecure serving is gone
 	LoopbackClientConfig *restclient.Config
-	// Authenticator determines which subject is making the request
-	Authenticator authenticator.Request
 	// Authorizer determines whether the subject is allowed to make the request based only
 	// on the RequestURI
 	Authorizer authorizer.Authorizer
@@ -116,10 +121,6 @@ type Config struct {
 	AuditBackend audit.Backend
 	// AuditPolicyChecker makes the decision of whether and how to audit log a request.
 	AuditPolicyChecker auditpolicy.Checker
-	// SupportsBasicAuth indicates that's at least one Authenticator supports basic auth
-	// If this is true, a basic auth challenge is returned on authentication failure
-	// TODO(roberthbailey): Remove once the server no longer supports http basic auth.
-	SupportsBasicAuth bool
 	// ExternalAddress is the host name to use for external (public internet) facing URLs (e.g. Swagger)
 	// Will default to a value based on secure serving info and available ipv4 IPs.
 	ExternalAddress string
@@ -231,6 +232,21 @@ type SecureServingInfo struct {
 	CipherSuites []uint16
 }
 
+type AuthenticationInfo struct {
+	// Authenticator determines which subject is making the request
+	Authenticator authenticator.Request
+	// SupportsBasicAuth indicates that's at least one Authenticator supports basic auth
+	// If this is true, a basic auth challenge is returned on authentication failure
+	// TODO(roberthbailey): Remove once the server no longer supports http basic auth.
+	SupportsBasicAuth bool
+}
+
+type AuthorizationInfo struct {
+	// Authorizer determines whether the subject is allowed to make the request based only
+	// on the RequestURI
+	Authorizer authorizer.Authorizer
+}
+
 // NewConfig returns a Config struct with the default values
 func NewConfig(codecs serializer.CodecFactory) *Config {
 	return &Config{
@@ -302,23 +318,23 @@ func DefaultSwaggerConfig() *swagger.Config {
 	}
 }
 
-func (c *Config) ApplyClientCert(clientCAFile string) (*Config, error) {
+func (c *AuthenticationInfo) ApplyClientCert(clientCAFile string, servingInfo *SecureServingInfo) error {
-	if c.SecureServingInfo != nil {
+	if servingInfo != nil {
 		if len(clientCAFile) > 0 {
 			clientCAs, err := certutil.CertsFromFile(clientCAFile)
 			if err != nil {
-				return nil, fmt.Errorf("unable to load client CA file: %v", err)
+				return fmt.Errorf("unable to load client CA file: %v", err)
 			}
-			if c.SecureServingInfo.ClientCA == nil {
+			if servingInfo.ClientCA == nil {
-				c.SecureServingInfo.ClientCA = x509.NewCertPool()
+				servingInfo.ClientCA = x509.NewCertPool()
 			}
 			for _, cert := range clientCAs {
-				c.SecureServingInfo.ClientCA.AddCert(cert)
+				servingInfo.ClientCA.AddCert(cert)
 			}
 		}
 	}
 
-	return c, nil
+	return nil
 }
 
 type completedConfig struct {
@@ -385,7 +401,7 @@ func (c *Config) Complete(informers informers.SharedInformerFactory) CompletedCo
 		}
 	}
 	if c.SwaggerConfig != nil && len(c.SwaggerConfig.WebServicesUrl) == 0 {
-		if c.SecureServingInfo != nil {
+		if c.SecureServing != nil {
 			c.SwaggerConfig.WebServicesUrl = "https://" + c.ExternalAddress
 		} else {
 			c.SwaggerConfig.WebServicesUrl = "http://" + c.ExternalAddress
@@ -397,7 +413,7 @@ func (c *Config) Complete(informers informers.SharedInformerFactory) CompletedCo
 
 	// If the loopbackclientconfig is specified AND it has a token for use against the API server
 	// wrap the authenticator and authorizer in loopback authentication logic
-	if c.Authenticator != nil && c.Authorizer != nil && c.LoopbackClientConfig != nil && len(c.LoopbackClientConfig.BearerToken) > 0 {
+	if c.Authentication.Authenticator != nil && c.Authorization.Authorizer != nil && c.LoopbackClientConfig != nil && len(c.LoopbackClientConfig.BearerToken) > 0 {
 		privilegedLoopbackToken := c.LoopbackClientConfig.BearerToken
 		var uid = uuid.NewRandom().String()
 		tokens := make(map[string]*user.DefaultInfo)
@@ -408,10 +424,10 @@ func (c *Config) Complete(informers informers.SharedInformerFactory) CompletedCo
 		}
 
 		tokenAuthenticator := authenticatorfactory.NewFromTokens(tokens)
-		c.Authenticator = authenticatorunion.New(tokenAuthenticator, c.Authenticator)
+		c.Authentication.Authenticator = authenticatorunion.New(tokenAuthenticator, c.Authentication.Authenticator)
 
 		tokenAuthorizer := authorizerfactory.NewPrivilegedGroups(user.SystemPrivilegedGroup)
-		c.Authorizer = authorizerunion.New(tokenAuthorizer, c.Authorizer)
+		c.Authorization.Authorizer = authorizerunion.New(tokenAuthorizer, c.Authorization.Authorizer)
 	}
 
 	if c.RequestInfoResolver == nil {
@@ -458,7 +474,7 @@ func (c completedConfig) New(name string, delegationTarget DelegationTarget) (*G
 		minRequestTimeout: time.Duration(c.MinRequestTimeout) * time.Second,
 		ShutdownTimeout:   c.RequestTimeout,
 
-		SecureServingInfo: c.SecureServingInfo,
+		SecureServingInfo: c.SecureServing,
 		ExternalAddress:   c.ExternalAddress,
 
 		Handler: apiServerHandler,
@@ -530,19 +546,19 @@ func (c completedConfig) New(name string, delegationTarget DelegationTarget) (*G
 }
 
 func DefaultBuildHandlerChain(apiHandler http.Handler, c *Config) http.Handler {
-	handler := genericapifilters.WithAuthorization(apiHandler, c.RequestContextMapper, c.Authorizer, c.Serializer)
+	handler := genericapifilters.WithAuthorization(apiHandler, c.RequestContextMapper, c.Authorization.Authorizer, c.Serializer)
 	handler = genericfilters.WithMaxInFlightLimit(handler, c.MaxRequestsInFlight, c.MaxMutatingRequestsInFlight, c.RequestContextMapper, c.LongRunningFunc)
-	handler = genericapifilters.WithImpersonation(handler, c.RequestContextMapper, c.Authorizer, c.Serializer)
+	handler = genericapifilters.WithImpersonation(handler, c.RequestContextMapper, c.Authorization.Authorizer, c.Serializer)
 	if utilfeature.DefaultFeatureGate.Enabled(features.AdvancedAuditing) {
 		handler = genericapifilters.WithAudit(handler, c.RequestContextMapper, c.AuditBackend, c.AuditPolicyChecker, c.LongRunningFunc)
 	} else {
 		handler = genericapifilters.WithLegacyAudit(handler, c.RequestContextMapper, c.LegacyAuditWriter)
 	}
-	failedHandler := genericapifilters.Unauthorized(c.RequestContextMapper, c.Serializer, c.SupportsBasicAuth)
+	failedHandler := genericapifilters.Unauthorized(c.RequestContextMapper, c.Serializer, c.Authentication.SupportsBasicAuth)
 	if utilfeature.DefaultFeatureGate.Enabled(features.AdvancedAuditing) {
 		failedHandler = genericapifilters.WithFailedAuthenticationAudit(failedHandler, c.RequestContextMapper, c.AuditBackend, c.AuditPolicyChecker)
 	}
-	handler = genericapifilters.WithAuthentication(handler, c.RequestContextMapper, c.Authenticator, failedHandler)
+	handler = genericapifilters.WithAuthentication(handler, c.RequestContextMapper, c.Authentication.Authenticator, failedHandler)
 	handler = genericfilters.WithCORS(handler, c.CorsAllowedOriginList, nil, nil, nil, "true")
 	handler = genericfilters.WithTimeoutForNonLongRunningRequests(handler, c.RequestContextMapper, c.LongRunningFunc, c.RequestTimeout)
 	handler = genericfilters.WithWaitGroup(handler, c.RequestContextMapper, c.LongRunningFunc, c.HandlerChainWaitGroup)

pkg/server/genericapiserver.go

@@ -310,7 +310,7 @@ func (s preparedGenericAPIServer) NonBlockingRun(stopCh <-chan struct{}) error {
 	internalStopCh := make(chan struct{})
 
 	if s.SecureServingInfo != nil && s.Handler != nil {
-		if err := s.serveSecurely(internalStopCh); err != nil {
+		if err := s.SecureServingInfo.Serve(s.Handler, s.ShutdownTimeout, internalStopCh); err != nil {
 			close(internalStopCh)
 			return err
 		}

pkg/server/genericapiserver_test.go

@@ -387,7 +387,7 @@ func TestNotRestRoutesHaveAuth(t *testing.T) {
 	authz := mockAuthorizer{}
 
 	config.LegacyAPIGroupPrefixes = sets.NewString("/apiPrefix")
-	config.Authorizer = &authz
+	config.Authorization.Authorizer = &authz
 
 	config.EnableSwaggerUI = true
 	config.EnableIndex = true

pkg/server/options/BUILD

@@ -15,6 +15,7 @@ go_library(
         "recommended.go",
         "server_run_options.go",
         "serving.go",
+        "serving_with_loopback.go",
     ],
     importpath = "k8s.io/apiserver/pkg/server/options",
     visibility = ["//visibility:public"],

pkg/server/options/admission.go

@@ -136,7 +136,7 @@ func (a *AdmissionOptions) ApplyTo(
 	if err != nil {
 		return err
 	}
-	genericInitializer := initializer.New(clientset, informers, c.Authorizer, scheme)
+	genericInitializer := initializer.New(clientset, informers, c.Authorization.Authorizer, scheme)
 	initializersChain := admission.PluginInitializers{}
 	pluginInitializers = append(pluginInitializers, genericInitializer)
 	initializersChain = append(initializersChain, pluginInitializers...)

pkg/server/options/authentication.go

@@ -32,6 +32,7 @@ import (
 	coreclient "k8s.io/client-go/kubernetes/typed/core/v1"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
+	openapicommon "k8s.io/kube-openapi/pkg/common"
 )
 
 type RequestHeaderAuthenticationOptions struct {
@@ -146,7 +147,7 @@ func (s *DelegatingAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
 
 }
 
-func (s *DelegatingAuthenticationOptions) ApplyTo(c *server.Config) error {
+func (s *DelegatingAuthenticationOptions) ApplyTo(c *server.AuthenticationInfo, servingInfo *server.SecureServingInfo, openAPIConfig *openapicommon.Config) error {
 	if s == nil {
 		c.Authenticator = nil
 		return nil
@@ -156,8 +157,7 @@ func (s *DelegatingAuthenticationOptions) ApplyTo(c *server.Config) error {
 	if err != nil {
 		return err
 	}
-	c, err = c.ApplyClientCert(clientCA.ClientCA)
+	if err = c.ApplyClientCert(clientCA.ClientCA, servingInfo); err != nil {
-	if err != nil {
 		return fmt.Errorf("unable to load client CA file: %v", err)
 	}
 
@@ -165,8 +165,7 @@ func (s *DelegatingAuthenticationOptions) ApplyTo(c *server.Config) error {
 	if err != nil {
 		return err
 	}
-	c, err = c.ApplyClientCert(requestHeader.ClientCAFile)
+	if err = c.ApplyClientCert(requestHeader.ClientCAFile, servingInfo); err != nil {
-	if err != nil {
 		return fmt.Errorf("unable to load client CA file: %v", err)
 	}
 
@@ -180,8 +179,8 @@ func (s *DelegatingAuthenticationOptions) ApplyTo(c *server.Config) error {
 	}
 
 	c.Authenticator = authenticator
-	if c.OpenAPIConfig != nil {
+	if openAPIConfig != nil {
-		c.OpenAPIConfig.SecurityDefinitions = securityDefinitions
+		openAPIConfig.SecurityDefinitions = securityDefinitions
 	}
 	c.SupportsBasicAuth = false
 

pkg/server/options/authorization.go

@@ -74,7 +74,7 @@ func (s *DelegatingAuthorizationOptions) AddFlags(fs *pflag.FlagSet) {
 		"The duration to cache 'unauthorized' responses from the webhook authorizer.")
 }
 
-func (s *DelegatingAuthorizationOptions) ApplyTo(c *server.Config) error {
+func (s *DelegatingAuthorizationOptions) ApplyTo(c *server.AuthorizationInfo) error {
 	if s == nil {
 		c.Authorizer = authorizerfactory.NewAlwaysAllowAuthorizer()
 		return nil

pkg/server/options/recommended.go

@@ -30,7 +30,7 @@ import (
 // Each of them can be nil to leave the feature unconfigured on ApplyTo.
 type RecommendedOptions struct {
 	Etcd           *EtcdOptions
-	SecureServing  *SecureServingOptions
+	SecureServing  *SecureServingOptionsWithLoopback
 	Authentication *DelegatingAuthenticationOptions
 	Authorization  *DelegatingAuthorizationOptions
 	Audit          *AuditOptions
@@ -46,7 +46,7 @@ type RecommendedOptions struct {
 func NewRecommendedOptions(prefix string, codec runtime.Codec) *RecommendedOptions {
 	return &RecommendedOptions{
 		Etcd:                       NewEtcdOptions(storagebackend.NewDefaultConfig(prefix, codec)),
-		SecureServing:              NewSecureServingOptions(),
+		SecureServing:              WithLoopback(NewSecureServingOptions()),
 		Authentication:             NewDelegatingAuthenticationOptions(),
 		Authorization:              NewDelegatingAuthorizationOptions(),
 		Audit:                      NewAuditOptions(),
@@ -78,10 +78,10 @@ func (o *RecommendedOptions) ApplyTo(config *server.RecommendedConfig, scheme *r
 	if err := o.SecureServing.ApplyTo(&config.Config); err != nil {
 		return err
 	}
-	if err := o.Authentication.ApplyTo(&config.Config); err != nil {
+	if err := o.Authentication.ApplyTo(&config.Config.Authentication, config.SecureServing, config.OpenAPIConfig); err != nil {
 		return err
 	}
-	if err := o.Authorization.ApplyTo(&config.Config); err != nil {
+	if err := o.Authorization.ApplyTo(&config.Config.Authorization); err != nil {
 		return err
 	}
 	if err := o.Audit.ApplyTo(&config.Config); err != nil {

pkg/server/options/serving.go

@@ -24,7 +24,6 @@ import (
 	"strconv"
 
 	"github.com/golang/glog"
-	"github.com/pborman/uuid"
 	"github.com/spf13/pflag"
 
 	utilnet "k8s.io/apimachinery/pkg/util/net"
@@ -111,9 +110,7 @@ func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) {
 	}
 
 	fs.IPVar(&s.BindAddress, "bind-address", s.BindAddress, ""+
-		"The IP address on which to listen for the --secure-port port. The "+
+		"The IP address on which to listen for the --secure-port port. If blank, all interfaces will be used (0.0.0.0).")
-		"associated interface(s) must be reachable by the rest of the cluster, and by CLI/web "+
-		"clients. If blank, all interfaces will be used (0.0.0.0).")
 
 	fs.IntVar(&s.BindPort, "secure-port", s.BindPort, ""+
 		"The port on which to serve HTTPS with authentication and authorization. If 0, "+
@@ -157,7 +154,7 @@ func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) {
 }
 
 // ApplyTo fills up serving information in the server configuration.
-func (s *SecureServingOptions) ApplyTo(c *server.Config) error {
+func (s *SecureServingOptions) ApplyTo(config **server.SecureServingInfo) error {
 	if s == nil {
 		return nil
 	}
@@ -180,42 +177,10 @@ func (s *SecureServingOptions) ApplyTo(c *server.Config) error {
 		s.BindAddress = s.Listener.Addr().(*net.TCPAddr).IP
 	}
 
-	if err := s.applyServingInfoTo(c); err != nil {
+	*config = &server.SecureServingInfo{
-		return err
+		Listener: s.Listener,
 	}
-
+	c := *config
-	c.SecureServingInfo.Listener = s.Listener
-
-	// create self-signed cert+key with the fake server.LoopbackClientServerNameOverride and
-	// let the server return it when the loopback client connects.
-	certPem, keyPem, err := certutil.GenerateSelfSignedCertKey(server.LoopbackClientServerNameOverride, nil, nil)
-	if err != nil {
-		return fmt.Errorf("failed to generate self-signed certificate for loopback connection: %v", err)
-	}
-	tlsCert, err := tls.X509KeyPair(certPem, keyPem)
-	if err != nil {
-		return fmt.Errorf("failed to generate self-signed certificate for loopback connection: %v", err)
-	}
-
-	secureLoopbackClientConfig, err := c.SecureServingInfo.NewLoopbackClientConfig(uuid.NewRandom().String(), certPem)
-	switch {
-	// if we failed and there's no fallback loopback client config, we need to fail
-	case err != nil && c.LoopbackClientConfig == nil:
-		return err
-
-	// if we failed, but we already have a fallback loopback client config (usually insecure), allow it
-	case err != nil && c.LoopbackClientConfig != nil:
-
-	default:
-		c.LoopbackClientConfig = secureLoopbackClientConfig
-		c.SecureServingInfo.SNICerts[server.LoopbackClientServerNameOverride] = &tlsCert
-	}
-
-	return nil
-}
-
-func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error {
-	secureServingInfo := &server.SecureServingInfo{}
 
 	serverCertFile, serverKeyFile := s.ServerCert.CertKey.CertFile, s.ServerCert.CertKey.KeyFile
 	// load main cert
@@ -224,7 +189,7 @@ func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error {
 		if err != nil {
 			return fmt.Errorf("unable to load server certificate: %v", err)
 		}
-		secureServingInfo.Cert = &tlsCert
+		c.Cert = &tlsCert
 	}
 
 	if len(s.CipherSuites) != 0 {
@@ -232,11 +197,11 @@ func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error {
 		if err != nil {
 			return err
 		}
-		secureServingInfo.CipherSuites = cipherSuites
+		c.CipherSuites = cipherSuites
 	}
 
 	var err error
-	secureServingInfo.MinTLSVersion, err = utilflag.TLSVersion(s.MinTLSVersion)
+	c.MinTLSVersion, err = utilflag.TLSVersion(s.MinTLSVersion)
 	if err != nil {
 		return err
 	}
@@ -253,14 +218,11 @@ func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error {
 			return fmt.Errorf("failed to load SNI cert and key: %v", err)
 		}
 	}
-	secureServingInfo.SNICerts, err = server.GetNamedCertificateMap(namedTLSCerts)
+	c.SNICerts, err = server.GetNamedCertificateMap(namedTLSCerts)
 	if err != nil {
 		return err
 	}
 
-	c.SecureServingInfo = secureServingInfo
-	c.ReadWritePort = s.BindPort
-
 	return nil
 }
 

pkg/server/options/serving_test.go

@@ -32,6 +32,7 @@ import (
 	"os"
 	"path/filepath"
 	"reflect"
+	"strconv"
 	"strings"
 	"testing"
 	"time"
@@ -47,7 +48,6 @@ import (
 	utilflag "k8s.io/apiserver/pkg/util/flag"
 	"k8s.io/client-go/discovery"
 	restclient "k8s.io/client-go/rest"
-	"strconv"
 )
 
 func setUp(t *testing.T) Config {
@@ -471,7 +471,7 @@ NextTest:
 			config.Version = &v
 
 			config.EnableIndex = true
-			secureOptions := &SecureServingOptions{
+			secureOptions := WithLoopback(&SecureServingOptions{
 				BindAddress: net.ParseIP("127.0.0.1"),
 				BindPort:    6443,
 				ServerCert: GeneratableKeyCert{
@@ -481,7 +481,7 @@ NextTest:
 					},
 				},
 				SNICertKeys: namedCertKeys,
-			}
+			})
 			// use a random free port
 			ln, err := net.Listen("tcp", "127.0.0.1:0")
 			if err != nil {

pkg/server/options/serving_with_loopback.go

@@ -0,0 +1,79 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package options
+
+import (
+	"crypto/tls"
+	"fmt"
+
+	"github.com/pborman/uuid"
+
+	"k8s.io/apiserver/pkg/server"
+	certutil "k8s.io/client-go/util/cert"
+)
+
+type SecureServingOptionsWithLoopback struct {
+	*SecureServingOptions
+}
+
+func WithLoopback(o *SecureServingOptions) *SecureServingOptionsWithLoopback {
+	return &SecureServingOptionsWithLoopback{o}
+}
+
+// ApplyTo fills up serving information in the server configuration.
+func (s *SecureServingOptionsWithLoopback) ApplyTo(c *server.Config) error {
+	if s == nil || s.SecureServingOptions == nil {
+		return nil
+	}
+
+	if err := s.SecureServingOptions.ApplyTo(&c.SecureServing); err != nil {
+		return err
+	}
+
+	if c.SecureServing == nil {
+		return nil
+	}
+
+	c.ReadWritePort = s.BindPort
+
+	// create self-signed cert+key with the fake server.LoopbackClientServerNameOverride and
+	// let the server return it when the loopback client connects.
+	certPem, keyPem, err := certutil.GenerateSelfSignedCertKey(server.LoopbackClientServerNameOverride, nil, nil)
+	if err != nil {
+		return fmt.Errorf("failed to generate self-signed certificate for loopback connection: %v", err)
+	}
+	tlsCert, err := tls.X509KeyPair(certPem, keyPem)
+	if err != nil {
+		return fmt.Errorf("failed to generate self-signed certificate for loopback connection: %v", err)
+	}
+
+	secureLoopbackClientConfig, err := c.SecureServing.NewLoopbackClientConfig(uuid.NewRandom().String(), certPem)
+	switch {
+	// if we failed and there's no fallback loopback client config, we need to fail
+	case err != nil && c.LoopbackClientConfig == nil:
+		return err
+
+	// if we failed, but we already have a fallback loopback client config (usually insecure), allow it
+	case err != nil && c.LoopbackClientConfig != nil:
+
+	default:
+		c.LoopbackClientConfig = secureLoopbackClientConfig
+		c.SecureServing.SNICerts[server.LoopbackClientServerNameOverride] = &tlsCert
+	}
+
+	return nil
+}

pkg/server/serve.go

@@ -39,17 +39,17 @@ const (
 // serveSecurely runs the secure http server. It fails only if certificates cannot
 // be loaded or the initial listen call fails. The actual server loop (stoppable by closing
 // stopCh) runs in a go routine, i.e. serveSecurely does not block.
-func (s *GenericAPIServer) serveSecurely(stopCh <-chan struct{}) error {
+func (s *SecureServingInfo) Serve(handler http.Handler, shutdownTimeout time.Duration, stopCh <-chan struct{}) error {
-	if s.SecureServingInfo.Listener == nil {
+	if s.Listener == nil {
 		return fmt.Errorf("listener must not be nil")
 	}
 
 	secureServer := &http.Server{
-		Addr:           s.SecureServingInfo.Listener.Addr().String(),
+		Addr:           s.Listener.Addr().String(),
-		Handler:        s.Handler,
+		Handler:        handler,
 		MaxHeaderBytes: 1 << 20,
 		TLSConfig: &tls.Config{
-			NameToCertificate: s.SecureServingInfo.SNICerts,
+			NameToCertificate: s.SNICerts,
 			// Can't use SSLv3 because of POODLE and BEAST
 			// Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher
 			// Can't use TLSv1.1 because of RC4 cipher usage
@@ -59,41 +59,41 @@ func (s *GenericAPIServer) serveSecurely(stopCh <-chan struct{}) error {
 		},
 	}
 
-	if s.SecureServingInfo.MinTLSVersion > 0 {
+	if s.MinTLSVersion > 0 {
-		secureServer.TLSConfig.MinVersion = s.SecureServingInfo.MinTLSVersion
+		secureServer.TLSConfig.MinVersion = s.MinTLSVersion
 	}
-	if len(s.SecureServingInfo.CipherSuites) > 0 {
+	if len(s.CipherSuites) > 0 {
-		secureServer.TLSConfig.CipherSuites = s.SecureServingInfo.CipherSuites
+		secureServer.TLSConfig.CipherSuites = s.CipherSuites
 	}
 
-	if s.SecureServingInfo.Cert != nil {
+	if s.Cert != nil {
-		secureServer.TLSConfig.Certificates = []tls.Certificate{*s.SecureServingInfo.Cert}
+		secureServer.TLSConfig.Certificates = []tls.Certificate{*s.Cert}
 	}
 
 	// append all named certs. Otherwise, the go tls stack will think no SNI processing
 	// is necessary because there is only one cert anyway.
 	// Moreover, if ServerCert.CertFile/ServerCert.KeyFile are not set, the first SNI
 	// cert will become the default cert. That's what we expect anyway.
-	for _, c := range s.SecureServingInfo.SNICerts {
+	for _, c := range s.SNICerts {
 		secureServer.TLSConfig.Certificates = append(secureServer.TLSConfig.Certificates, *c)
 	}
 
-	if s.SecureServingInfo.ClientCA != nil {
+	if s.ClientCA != nil {
 		// Populate PeerCertificates in requests, but don't reject connections without certificates
 		// This allows certificates to be validated by authenticators, while still allowing other auth types
 		secureServer.TLSConfig.ClientAuth = tls.RequestClientCert
 		// Specify allowed CAs for client certificates
-		secureServer.TLSConfig.ClientCAs = s.SecureServingInfo.ClientCA
+		secureServer.TLSConfig.ClientCAs = s.ClientCA
 	}
 
 	glog.Infof("Serving securely on %s", secureServer.Addr)
-	err := RunServer(secureServer, s.SecureServingInfo.Listener, s.ShutdownTimeout, stopCh)
+	return RunServer(secureServer, s.Listener, shutdownTimeout, stopCh)
-	return err
 }
 
 // RunServer listens on the given port if listener is not given,
 // then spawns a go-routine continuously serving
 // until the stopCh is closed. This function does not block.
+// TODO: make private when insecure serving is gone from the kube-apiserver
 func RunServer(
 	server *http.Server,
 	ln net.Listener,