Merge pull request #51045 from jcbsmpsn/rotate-kubelet-client-certificate-beta

Automatic merge from submit-queue (batch tested with PRs 49961, 50005, 50738, 51045, 49927)

Move rotating kubelet client certificate to beta.

```release-note
Release the kubelet client certificate rotation as beta.
```

cmd/kubelet/app/options/options.go

@@ -52,6 +52,7 @@ const (
 type KubeletFlags struct {
 	KubeConfig          flag.StringFlag
 	BootstrapKubeconfig string
+	RotateCertificates  bool
 
 	// RequireKubeConfig is deprecated! A valid KubeConfig is now required if --kubeconfig is provided.
 	RequireKubeConfig bool
@@ -126,7 +127,8 @@ func NewKubeletFlags() *KubeletFlags {
 		// for out-of-tree cloud providers as we'll now depend on cAdvisor integrations
 		// with cloud providers instead of in the core repo.
 		// More details here: https://github.com/kubernetes/kubernetes/issues/50986
-		CloudProvider: v1alpha1.AutoDetectCloudProvider,
+		CloudProvider:      v1alpha1.AutoDetectCloudProvider,
+		RotateCertificates: false,
 	}
 }
 
@@ -209,6 +211,7 @@ func (f *KubeletFlags) AddFlags(fs *pflag.FlagSet) {
 		"If the file specified by --kubeconfig does not exist, the bootstrap kubeconfig is used to request a client certificate from the API server. "+
 		"On success, a kubeconfig file referencing the generated client certificate and key is written to the path specified by --kubeconfig. "+
 		"The client certificate and key file will be stored in the directory pointed by --cert-dir.")
+	fs.BoolVar(&f.RotateCertificates, "rotate-certificates", f.RotateCertificates, "<Warning: Beta feature> Auto rotate the kubelet client certificates by requesting new certificates from the kube-apiserver when the certificate expiration approaches.")
 
 	fs.BoolVar(&f.ReallyCrashForTesting, "really-crash-for-testing", f.ReallyCrashForTesting, "If true, when panics occur crash. Intended for testing.")
 	fs.Float64Var(&f.ChaosChance, "chaos-chance", f.ChaosChance, "If > 0.0, introduce random client errors and latency. Intended for testing.")

cmd/kubelet/app/server.go

@@ -329,7 +329,7 @@ func run(s *options.KubeletServer, kubeDeps *kubelet.Dependencies) (err error) {
 
 		var clientCertificateManager certificate.Manager
 		if err == nil {
-			if utilfeature.DefaultFeatureGate.Enabled(features.RotateKubeletClientCertificate) {
+			if s.RotateCertificates && utilfeature.DefaultFeatureGate.Enabled(features.RotateKubeletClientCertificate) {
 				clientCertificateManager, err = certificate.NewKubeletClientCertificateManager(s.CertDirectory, nodeName, clientConfig.CertData, clientConfig.KeyData, clientConfig.CertFile, clientConfig.KeyFile)
 				if err != nil {
 					return err

pkg/features/kube_features.go

@@ -146,7 +146,7 @@ var defaultKubernetesFeatureGates = map[utilfeature.Feature]utilfeature.FeatureS
 	Accelerators:                                {Default: false, PreRelease: utilfeature.Alpha},
 	TaintBasedEvictions:                         {Default: false, PreRelease: utilfeature.Alpha},
 	RotateKubeletServerCertificate:              {Default: false, PreRelease: utilfeature.Alpha},
-	RotateKubeletClientCertificate:              {Default: false, PreRelease: utilfeature.Alpha},
+	RotateKubeletClientCertificate:              {Default: true, PreRelease: utilfeature.Beta},
 	PersistentLocalVolumes:                      {Default: false, PreRelease: utilfeature.Alpha},
 	LocalStorageCapacityIsolation:               {Default: false, PreRelease: utilfeature.Alpha},
 	DebugContainers:                             {Default: false, PreRelease: utilfeature.Alpha},