delegated authn: allow client CA override based on non-empty opts

Signed-off-by: Monis Khan <mok@vmware.com> Kubernetes-commit: 6686d8b846546f682d1a449cc9cd0e3c0de977b4
2021-03-09 22:53:04 -05:00 · 2021-03-09 22:53:04 -05:00 · 63ca1f6039
parent 82d5aa9575
commit 63ca1f6039
1 changed files with 4 additions and 4 deletions
--- a/pkg/server/options/authentication.go
+++ b/pkg/server/options/authentication.go
@ -290,16 +290,16 @@ func (s *DelegatingAuthenticationOptions) ApplyTo(authenticationInfo *server.Aut
 	}

 	// get the clientCA information
-	clientCAFileSpecified := len(s.ClientCert.ClientCA) > 0
+	clientCASpecified := s.ClientCert != ClientCertAuthenticationOptions{}
 	var clientCAProvider dynamiccertificates.CAContentProvider
-	if clientCAFileSpecified {
+	if clientCASpecified {
 		clientCAProvider, err = s.ClientCert.GetClientCAContentProvider()
 		if err != nil {
-			return fmt.Errorf("unable to load client CA file %q: %v", s.ClientCert.ClientCA, err)
+			return fmt.Errorf("unable to load client CA provider: %v", err)
 		}
 		cfg.ClientCertificateCAContentProvider = clientCAProvider
 		if err = authenticationInfo.ApplyClientCert(cfg.ClientCertificateCAContentProvider, servingInfo); err != nil {
-			return fmt.Errorf("unable to assign  client CA file: %v", err)
+			return fmt.Errorf("unable to assign client CA provider: %v", err)
 		}

 	} else if !s.SkipInClusterLookup {