x509 client certificate auth directly against the API (as referenced in
is intended for a small set of "bootstrap" users (like the cluster
administrator, and for various system components to talk to the API). As you mentioned, using this with lots of end users without an actual PKI to manage
certificate generation/revocation/user mapping would likely be difficult to administer.
The ideal scenario for end-user client cert auth would be a PKI to manage the certificates, and to log in through an auth proxy that would translate client certificates into usernames for OpenShift. I think that could be done for browser clients with the RequestHeader integration mentioned earlier, but the cli tools don't yet support obtaining an API token using a client certificate.