From 740d8b0a265653caccd15ecf1dc5740366caa114 Mon Sep 17 00:00:00 2001
From: Sergey <luckysb75@gmail.com>
Date: Wed, 3 Apr 2019 11:35:44 +0300
Subject: [PATCH] enable kubelet client certificate rotation (#4081)

* enable kubelet client certificate rotation

* change to variable kubelet_rotate_certificates
---
 docs/vars.md                                           | 2 ++
 roles/kubernetes/node/templates/kubelet.kubeadm.env.j2 | 3 +++
 roles/kubespray-defaults/defaults/main.yaml            | 4 ++++
 3 files changed, 9 insertions(+)

diff --git a/docs/vars.md b/docs/vars.md
index 72e3cc275..f24b9d4b8 100644
--- a/docs/vars.md
+++ b/docs/vars.md
@@ -113,6 +113,8 @@ Stack](https://github.com/kubernetes-sigs/kubespray/blob/master/docs/dns-stack.m
 * *kubelet_cgroup_driver* - Allows manual override of the
   cgroup-driver option for Kubelet. By default autodetection is used
   to match Docker configuration.
+* *kubelet_rotate_certificates* - Auto rotate the kubelet client certificates by requesting new certificates 
+  from the kube-apiserver when the certificate expiration approaches.
 * *node_labels* - Labels applied to nodes via kubelet --node-labels parameter.
   For example, labels can be set in the inventory as variables or more widely in group_vars.
   *node_labels* must be defined as a dict:
diff --git a/roles/kubernetes/node/templates/kubelet.kubeadm.env.j2 b/roles/kubernetes/node/templates/kubelet.kubeadm.env.j2
index 2d6bb5e80..6c46dba1e 100644
--- a/roles/kubernetes/node/templates/kubelet.kubeadm.env.j2
+++ b/roles/kubernetes/node/templates/kubelet.kubeadm.env.j2
@@ -28,6 +28,9 @@ KUBELET_HOSTNAME="--hostname-override={{ kube_override_hostname }}"
 {% endif %}
 --enforce-node-allocatable={{ kubelet_enforce_node_allocatable }} \
 --client-ca-file={{ kube_cert_dir }}/ca.crt \
+{% if kubelet_rotate_certificates %}
+--rotate-certificates \
+{% endif %}
 --pod-manifest-path={{ kube_manifest_dir }} \
 {% if kube_version is version('v1.12.0', '<') %}
 --cadvisor-port={{ kube_cadvisor_port }} \
diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml
index eb689f1c8..22ec23557 100644
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@@ -308,6 +308,10 @@ kubelet_authentication_token_webhook: true
 # When enabled, access to the kubelet API requires authorization by delegation to the API server
 kubelet_authorization_mode_webhook: false
 
+# kubelet uses certificates for authenticating to the Kubernetes API
+# Automatically generate a new key and request a new certificate from the Kubernetes API as the current certificate approaches expiration
+kubelet_rotate_certificates: true
+
 ## v1.11 feature
 feature_gate_v1_11:
   - "PersistentLocalVolumes={{ local_volume_provisioner_enabled | string }}"