From 3ace3eb74b4a837b5eb3828a7de7eb7aac1d87fc Mon Sep 17 00:00:00 2001
From: Paco Xu <paco.xu@daocloud.io>
Date: Wed, 3 Aug 2022 16:39:55 +0800
Subject: [PATCH] certificates default to tolerate no key encipherment

---
 pkg/apis/certificates/v1beta1/defaults.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkg/apis/certificates/v1beta1/defaults.go b/pkg/apis/certificates/v1beta1/defaults.go
index 4781c8f341b..ea86453f12e 100644
--- a/pkg/apis/certificates/v1beta1/defaults.go
+++ b/pkg/apis/certificates/v1beta1/defaults.go
@@ -56,9 +56,9 @@ func DefaultSignerNameFromSpec(obj *certificatesv1beta1.CertificateSigningReques
 		// Set the signerName to 'legacy-unknown' as the CSR could not be
 		// recognised.
 		return certificatesv1beta1.LegacyUnknownSignerName
-	case IsKubeletClientCSR(csr, obj.Usages, false):
+	case IsKubeletClientCSR(csr, obj.Usages, true):
 		return certificatesv1beta1.KubeAPIServerClientKubeletSignerName
-	case IsKubeletServingCSR(csr, obj.Usages, false):
+	case IsKubeletServingCSR(csr, obj.Usages, true):
 		return certificatesv1beta1.KubeletServingSignerName
 	default:
 		return certificatesv1beta1.LegacyUnknownSignerName