Check for initial kubelet certificates more frequently

2025-07-23 03:41:45 +00:00 · 2022-12-08 08:57:45 -05:00 · 2022-12-08 08:57:45 -05:00 · 933494ab8d
commit 933494ab8d
parent 4db6bde859
1 changed files with 25 additions and 2 deletions
--- a/pkg/kubelet/certificate/transport.go
+++ b/pkg/kubelet/certificate/transport.go
@ -22,6 +22,8 @@ import (
 	"net"
 	"net/http"
 	"os"
+	"sync"
+	"sync/atomic"
 	"time"

 	"k8s.io/klog/v2"
@ -97,7 +99,16 @@ func addCertRotation(stopCh <-chan struct{}, period time.Duration, clientConfig

 	lastCertAvailable := time.Now()
 	lastCert := clientCertificateManager.Current()
-	go wait.Until(func() {
+
+	var hasCert atomic.Bool
+	hasCert.Store(lastCert != nil)
+
+	checkLock := &sync.Mutex{}
+	checkNewCertificateAndRotate := func() {
+		// don't run concurrently
+		checkLock.Lock()
+		defer checkLock.Unlock()
+
 		curr := clientCertificateManager.Current()

 		if exitAfter > 0 {
@ -131,6 +142,7 @@ func addCertRotation(stopCh <-chan struct{}, period time.Duration, clientConfig
 			return
 		}
 		lastCert = curr
+		hasCert.Store(lastCert != nil)

 		klog.InfoS("Certificate rotation detected, shutting down client connections to start using new credentials")
 		// The cert has been rotated. Close all existing connections to force the client
@ -138,7 +150,18 @@ func addCertRotation(stopCh <-chan struct{}, period time.Duration, clientConfig
 		//
 		// See: https://github.com/kubernetes-incubator/bootkube/pull/663#issuecomment-318506493
 		d.CloseAll()
-	}, period, stopCh)
+	}
+
+	// start long-term check
+	go wait.Until(checkNewCertificateAndRotate, period, stopCh)
+
+	if !hasCert.Load() {
+		// start a faster check until we get the initial certificate
+		go wait.PollUntil(time.Second, func() (bool, error) {
+			checkNewCertificateAndRotate()
+			return hasCert.Load(), nil
+		}, stopCh)
+	}

 	clientConfig.Transport = utilnet.SetTransportDefaults(&http.Transport{
 		Proxy:               http.ProxyFromEnvironment,