diff --git a/staging/src/k8s.io/client-go/transport/cache.go b/staging/src/k8s.io/client-go/transport/cache.go
index 5fe768ed5ec..214f0a79cf0 100644
--- a/staging/src/k8s.io/client-go/transport/cache.go
+++ b/staging/src/k8s.io/client-go/transport/cache.go
@@ -36,6 +36,11 @@ type tlsTransportCache struct {
 	transports map[tlsCacheKey]*http.Transport
 }
 
+// DialerStopCh is stop channel that is passed down to dynamic cert dialer.
+// It's exposed as variable for testing purposes to avoid testing for goroutine
+// leakages.
+var DialerStopCh = wait.NeverStop
+
 const idleConnsPerHost = 25
 
 var tlsCache = &tlsTransportCache{transports: make(map[tlsCacheKey]*http.Transport)}
@@ -101,7 +106,7 @@ func (c *tlsTransportCache) get(config *Config) (http.RoundTripper, error) {
 		dynamicCertDialer := certRotatingDialer(tlsConfig.GetClientCertificate, dial)
 		tlsConfig.GetClientCertificate = dynamicCertDialer.GetClientCertificate
 		dial = dynamicCertDialer.connDialer.DialContext
-		go dynamicCertDialer.Run(wait.NeverStop)
+		go dynamicCertDialer.Run(DialerStopCh)
 	}
 
 	proxy := http.ProxyFromEnvironment
diff --git a/test/integration/client/cert_rotation_test.go b/test/integration/client/cert_rotation_test.go
index 282ddf17c73..44089b91128 100644
--- a/test/integration/client/cert_rotation_test.go
+++ b/test/integration/client/cert_rotation_test.go
@@ -46,6 +46,7 @@ func TestCertRotation(t *testing.T) {
 	defer close(stopCh)
 
 	transport.CertCallbackRefreshDuration = 1 * time.Second
+	transport.DialerStopCh = stopCh
 
 	certDir := os.TempDir()
 	clientCAFilename, clientSigningCert, clientSigningKey := writeCACertFiles(t, certDir)
@@ -103,6 +104,7 @@ func TestCertRotationContinuousRequests(t *testing.T) {
 	defer close(stopCh)
 
 	transport.CertCallbackRefreshDuration = 1 * time.Second
+	transport.DialerStopCh = stopCh
 
 	certDir := os.TempDir()
 	clientCAFilename, clientSigningCert, clientSigningKey := writeCACertFiles(t, certDir)