diff --git a/pkg/server/config_selfclient.go b/pkg/server/config_selfclient.go
index eb11dc701..53f179527 100644
--- a/pkg/server/config_selfclient.go
+++ b/pkg/server/config_selfclient.go
@@ -27,7 +27,7 @@ import (
 // select the loopback certificate via SNI if TLS is used.
 const LoopbackClientServerNameOverride = "apiserver-loopback-client"
 
-func (s *SecureServingInfo) NewLoopbackClientConfig(token string, loopbackCert []byte) (*restclient.Config, error) {
+func (s *SecureServingInfo) NewClientConfig(caCert []byte) (*restclient.Config, error) {
 	if s == nil || (s.Cert == nil && len(s.SNICerts) == 0) {
 		return nil, nil
 	}
@@ -41,19 +41,29 @@ func (s *SecureServingInfo) NewLoopbackClientConfig(token string, loopbackCert [
 		// Increase QPS limits. The client is currently passed to all admission plugins,
 		// and those can be throttled in case of higher load on apiserver - see #22340 and #22422
 		// for more details. Once #22422 is fixed, we may want to remove it.
-		QPS:         50,
-		Burst:       100,
-		Host:        "https://" + net.JoinHostPort(host, port),
-		BearerToken: token,
+		QPS:   50,
+		Burst: 100,
+		Host:  "https://" + net.JoinHostPort(host, port),
 		// override the ServerName to select our loopback certificate via SNI. This name is also
 		// used by the client to compare the returns server certificate against.
 		TLSClientConfig: restclient.TLSClientConfig{
-			ServerName: LoopbackClientServerNameOverride,
-			CAData:     loopbackCert,
+			CAData: caCert,
 		},
 	}, nil
 }
 
+func (s *SecureServingInfo) NewLoopbackClientConfig(token string, loopbackCert []byte) (*restclient.Config, error) {
+	c, err := s.NewClientConfig(loopbackCert)
+	if err != nil || c == nil {
+		return c, err
+	}
+
+	c.BearerToken = token
+	c.TLSClientConfig.ServerName = LoopbackClientServerNameOverride
+
+	return c, nil
+}
+
 // LoopbackHostPort returns the host and port loopback REST clients should use
 // to contact the server.
 func LoopbackHostPort(bindAddress string) (string, string, error) {