mirror of
https://github.com/optim-enterprises-bv/kubernetes.git
synced 2026-01-11 17:45:38 +00:00
24d09977fb
Automatic merge from submit-queue (batch tested with PRs 46726, 41912, 46695, 46034, 46551) Rotate kubelet client certificate. Changes the kubelet so it bootstraps off the cert/key specified in the config file and uses those to request new cert/key pairs from the Certificate Signing Request API, as well as rotating client certificates when they approach expiration. Default behavior is for client certificate rotation to be disabled. If enabled using a command line flag, the kubelet exits each time the certificate is rotated. I tried to use `GetCertificate` in [tls.Config](https://golang.org/pkg/crypto/tls/#Config) but it is only called on the server side of connections. Then I tried `GetClientCertificate`, but it is new in 1.8. **Release note** ```release-note With --feature-gates=RotateKubeletClientCertificate=true set, the kubelet will request a client certificate from the API server during the boot cycle and pause waiting for the request to be satisfied. It will continually refresh the certificate as the certificates expiration approaches. ```