self-signed kubelet server certificate is never renewed

[champtar]

What happened:

Looking at how to easily renew kubelet server certificate (serverTLSBootstrap + custom approver/script to regenerate a new cert myself/...), I had a look at the code and I can only find kubelet.crt (https://github.com/kubernetes/kubernetes/search?q=kubelet.crt&type=code) here

kubernetes/cmd/kubelet/app/server.go

Lines 985 to 990 in e7cc211

	func InitializeTLS(kf *options.KubeletFlags, kc *kubeletconfiginternal.KubeletConfiguration) (*server.TLSOptions, error) {
	if !kc.ServerTLSBootstrap && kc.TLSCertFile == "" && kc.TLSPrivateKeyFile == "" {
	kc.TLSCertFile = path.Join(kf.CertDirectory, "kubelet.crt")
	kc.TLSPrivateKeyFile = path.Join(kf.CertDirectory, "kubelet.key")
	canReadCertAndKey, err := certutil.CanReadCertAndKey(kc.TLSCertFile, kc.TLSPrivateKeyFile)

This checks if the cert/key are readable but not if the cert is still valid.

What you expected to happen:

selfsigned cert is rotated before expiration

How to reproduce it (as minimally and precisely as possible):

Anything else we need to know?:

I have only looked at the code and not manually reproduced it, but I can't find anything in k8s/kubeadm rotating this cert

Environment:

• Kubernetes version: master
• Install tools: kubeadm / kubespray

[k8s-ci-robot]

@champtar: This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[champtar]

/sig node

[neolit123]

kubeadm doesn't use the kubelet serving certificate for anything, thus it's not enabling its automatic rotation via --rotate-server-certificates RotateKubeletServerCertificate or manual rotation.

also see the note there that the rotation requires an external controller to sign CSRs:
https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#certificate-rotation

related thread:
kubernetes/kubeadm#1223
kubernetes/kubeadm#1602

I have only looked at the code and not manually reproduced it, but I can't find anything in k8s/kubeadm rotating this cert

kubeadm will not enable this feature anytime soon, due to the "minimal viable principle" - i.e. the majority of kubeadm users don't need this.

you can ask kube-spray to see what is their stance doing it on higher level.

/remove-sig node
/sig cluster-lifecycle
/close

[k8s-ci-robot]

@neolit123: Closing this issue.

In response to this:

kubeadm doesn't use the kubelet serving certificate for anything, thus it's not enabling its automatic rotation via --rotate-server-certificates RotateKubeletServerCertificate or manual rotation.

also see the note there that the rotation requires an external controller to sign CSRs:
https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#certificate-rotation

related thread:
kubernetes/kubeadm#1223
kubernetes/kubeadm#1602

I have only looked at the code and not manually reproduced it, but I can't find anything in k8s/kubeadm rotating this cert

kubeadm will not enable this feature anytime soon, due to the "minimal viable principle" - i.e. the majority of kubeadm users don't need this.

you can ask kube-spray to see what is their stance doing it on higher level.

/remove-sig node
/sig cluster-lifecycle
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.