How important is it to give the admin this knob? It seems like something that should be tuned on our end, not by the user. If that's the case, I suggest using a feature_gate instead.

+1 for feature gate intially (default to off this release)

Not familiar with feature_gate. This flag sets the amount of remaining duration of the certificate before it gets rotated. Does a feature_gate allow some value to be set? Or hard code this to something?

I think so far they're just binary flags, and let you tag features as alpha/beta. My suggestion above was that we hardcode a value for this, unless you think it's an important knob to provide.

Having this knob is pretty useful for testing, and when restarts are no longer part of rotation we can turn this up and rotate frequently during end to end tests.

This is too disruptive. My biggest concern about restarting the Kubelet is it would disrupt any open connections (watching logs, exec/attach/portforward connections). It would also stress the runtime, and may have other performance impacts.

Fortunately, the ListenAndServeTLS function is not too complicated, and should be pretty easy to unroll and swap in our own Accept implementation:

1. ListenAndServeTLS just sets up a tls listener, and calls server.Serve(...) on it.
2. tls.NewListener just wraps a tls.listener, which simlpy wraps the Conn returned by the inner listener.

I think all we'd need to do is create our own listener wrapper which calls tls.Server with the tls.Config with the latest certs.

+1
I think @sttts already did an implementation to pass SNI certs to apiserver

It's more about being able to stop the server with a channel. Now with Go 1.8 we will have an official API for that.

Can we avoid stopping the server in this case? I believe stopping the server will have the same problems mentioned above (or are existing connections kept alive when the server stops?).

I agreed with @timstclair on this. Restarting Kubelet is very disruptive. In addition to the issues pointed out by @timstclair, there are other concerns:

1. In GKE, we might agree upon O(months) certification rotation, but how we ensure this behavior for OSS users?
2. Any misbehaviour operation on certification rotation might lead to a node readiness flapping. But from the users' viewpoint, they only see node status is changed between ready and notReady unless they view the log. This adds more debuggability and introspection difficulties.
3. We encountered a lot of issues with mystery kubelet / docker restarts due to various reasons in prod. This feature only makes things worse.
4. What about other standalone daemons running on the node, which are talking to API server too, for example, NPD in GKE. Based on this design, are we going to force NPD restart too?

Continue with above comments:
5. The worst concern I had based on this design is that all kubelets in the cluster might start at the same time and pulling the information from API server. Can API server handle that load? Shouldn't this is another potential API server scalability issue?

@gmarek @wojtek-t

Answering 5 from above comment - I think that restating all kubelets at once can overload apiserver for quite some time (in fact I did such experiment in 2k-node cluster few months ago and it recovered from backlog after 5minutes or so IIRC).
I didn't read the PR, but if this is going to restart all kubelets at the same time, it's not only bad from scalability perspective, it just sounds bad to me.
We should try spreading the restarts over some time. If the time is long enough, I wouldn't worry about scalability (I'm not sure what long enough means, but from the top of my head, 1hour/1000nodes should be enough).

[And sorry if it's already spread - as I said, I didn't read the PR, just read the comments above.]

We're not restarting all the kubelets at the same time on purpose, but they will restart at the same time period after they were added to the cluster, so if a lot of kubelets are added at approximately the same time, they could clobber the certificate request signing api at the same time 10 months later. I'll add some jitter to the rotation timing.

It looks like this PR won't make 1.6 code freeze. It also looks like transitioning to Go 1.8 is in progress for Kubernetes 1.7. Once that's done we should be able to rotate client certificates without a restart.

Proposed an adjustment to the certificate manager to spread out the certificate rotation requests over here #42498

Why were all these other flags added? Is it just a rebase issue?

Not my flags. Must be a rebase issue. Will remove.

nit: just return an error

Done.

nit: name the return values (what is the bool?).

Done.

is len(certs) guaranteed to be > 0?

Length of the output will equal the length of the input, so in this case, always 1, as long as there is no err.

Where does the notAfter value come from? Shouldn't we be able to calculate exactly when the next rotation needs to occur, and wait until that moment, removing the need for the sync period polling & shouldRotate()?

notAfter is certificate data. It's the expiration of the certificate. We can use it as you suggest. A follow up PR ok?

follow up is fine.

Issue tracking follow up: #42089

Can this be a BootstrapClient and a certificatesclient.CertificateSigningRequestInterface? Why shouldn't I be able to use any form of authn to bootstrap my client TLS?

Well, you can use any authn to initialize your TLS client, but initializing your TLS client doesn't happen in the certificate manager. The certificate manager is the consumer of an already initialized client, only responsible for rotating as expiration approaches and returning the current cert/key pair. If you aren't going to use certs and keys, you wouldn't be using the CertificateManager, which is only designed for managing cert/key pairs.

There is already a CertificateSigningRequestInterface in this struct, it's the first member.

I see the comments for these two members are incorrect and may have mislead you. I'll update it. The bootstrap cert/key pair are the data returned from the certificate manager if the Store doesn't currently have any cert/key pairs to return.

Public setters leave a bad taste in my mouth.

It's an awkward situation alright. Since the manager uses the REST client to do rotations, I need the REST client to initialize the manager, and I need the manager to supply the keys to initialize the REST client.

Client GetCertificate is not supported until go1.8. Any suggestions pretaining to how to do this with the kube client? I'd like to point out that this is an experimantal flag and rotations event frequency is very low (O(months)).

tlsConfig can be nil if no customizations were required. in that case you should initialize to an empty one.

Done.

these are different than what you would have gotten otherwise: https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/client-go/transport/cache.go#L67

it's hard to tell how important the differences are

add a TODO to reconcile the defaults here with the defaults you'd get from calling restclient.TransportFor(config)

Updated to match.

empty CAFile as well

Done.

if clientConfig already has a Transport set, return an error

Done.

should return &tls.Certificate{Certificate:nil}, nil in this case, right? we don't want to abort the handshake, we just don't have a client certificate to return

From the godoc:

If GetClientCertificate returns an error, the handshake will be aborted and that error will be returned. Otherwise GetClientCertificate must return a non-nil Certificate. If Certificate.Certificate is empty then no certificate will be sent to the server.

Sounds good to me. Done.