You are securing etcd. Which of the following is required to enable TLS client authentication for etcd?
These flags enable and configure client certificate authentication.
Why this answer
Option D is correct because etcd requires `--client-cert-auth=true` to enforce TLS client certificate authentication for incoming client requests, and `--trusted-ca-file` must be provided to specify the CA certificate used to validate client certificates. Without both, client certificate authentication is not enabled.
Exam trap
The trap here is that candidates confuse `--peer-client-cert-auth` (for inter-node communication) with `--client-cert-auth` (for client-to-server communication), leading them to select option B instead of D.
How to eliminate wrong answers
Option A is wrong because `--auto-tls` enables self-signed TLS for peer and client connections but does not enforce client certificate authentication; it is intended for development or testing, not secure production use. Option B is wrong because `--peer-client-cert-auth` enables client certificate authentication for peer-to-peer communication between etcd members, not for client connections to the etcd API. Option C is wrong because `--cert-file` and `--key-file` only configure the server certificate for TLS, but without `--client-cert-auth=true` and `--trusted-ca-file`, the server will not request or validate client certificates.