Merge pull request #114367 from liggitt/kubelet-csr-init

Check for initial kubelet certificates more frequently

pkg/kubelet/certificate/transport.go

@@ -22,6 +22,8 @@ import (
 	"net"
 	"net/http"
 	"os"
+	"sync"
+	"sync/atomic"
 	"time"
 
 	"k8s.io/klog/v2"
@@ -97,7 +99,16 @@ func addCertRotation(stopCh <-chan struct{}, period time.Duration, clientConfig
 
 	lastCertAvailable := time.Now()
 	lastCert := clientCertificateManager.Current()
-	go wait.Until(func() {
+
+	var hasCert atomic.Bool
+	hasCert.Store(lastCert != nil)
+
+	checkLock := &sync.Mutex{}
+	checkNewCertificateAndRotate := func() {
+		// don't run concurrently
+		checkLock.Lock()
+		defer checkLock.Unlock()
+
 		curr := clientCertificateManager.Current()
 
 		if exitAfter > 0 {
@@ -131,6 +142,7 @@ func addCertRotation(stopCh <-chan struct{}, period time.Duration, clientConfig
 			return
 		}
 		lastCert = curr
+		hasCert.Store(lastCert != nil)
 
 		klog.InfoS("Certificate rotation detected, shutting down client connections to start using new credentials")
 		// The cert has been rotated. Close all existing connections to force the client
@@ -138,7 +150,18 @@ func addCertRotation(stopCh <-chan struct{}, period time.Duration, clientConfig
 		//
 		// See: https://github.com/kubernetes-incubator/bootkube/pull/663#issuecomment-318506493
 		d.CloseAll()
-	}, period, stopCh)
+	}
+
+	// start long-term check
+	go wait.Until(checkNewCertificateAndRotate, period, stopCh)
+
+	if !hasCert.Load() {
+		// start a faster check until we get the initial certificate
+		go wait.PollUntil(time.Second, func() (bool, error) {
+			checkNewCertificateAndRotate()
+			return hasCert.Load(), nil
+		}, stopCh)
+	}
 
 	clientConfig.Transport = utilnet.SetTransportDefaults(&http.Transport{
 		Proxy:               http.ProxyFromEnvironment,