From e86bdf58014c0df56045ad4bf6ab86ce132560b4 Mon Sep 17 00:00:00 2001
From: Andrew Lytvynov <awly@google.com>
Date: Mon, 30 Apr 2018 15:16:22 -0700
Subject: [PATCH] gce: plumb --kubelet-certificate-authority flag to apiserver

We want to start signing kubelets' serving certs with cluster CA. This
flag is required to enforce that on apiserver side.
---
 cluster/gce/gci/configure-helper.sh | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh
index c007c0434a8..37f3f6044f4 100644
--- a/cluster/gce/gci/configure-helper.sh
+++ b/cluster/gce/gci/configure-helper.sh
@@ -1583,6 +1583,9 @@ function start-kube-apiserver {
   if [[ "${ENABLE_APISERVER_LOGS_HANDLER:-}" == "false" ]]; then
     params+=" --enable-logs-handler=false"
   fi
+  if [[ -n "${APISERVER_KUBELET_CA:-}" ]]; then
+    params+=" --kubelet-certificate-authority=${APISERVER_KUBELET_CA}"
+  fi
 
   local admission_controller_config_mount=""
   local admission_controller_config_volume=""