enable kubelet client certificate rotation (#4081)

* enable kubelet client certificate rotation

* change to variable kubelet_rotate_certificates

docs/vars.md

@@ -113,6 +113,8 @@ Stack](https://github.com/kubernetes-sigs/kubespray/blob/master/docs/dns-stack.m
 * *kubelet_cgroup_driver* - Allows manual override of the
   cgroup-driver option for Kubelet. By default autodetection is used
   to match Docker configuration.
+* *kubelet_rotate_certificates* - Auto rotate the kubelet client certificates by requesting new certificates 
+  from the kube-apiserver when the certificate expiration approaches.
 * *node_labels* - Labels applied to nodes via kubelet --node-labels parameter.
   For example, labels can be set in the inventory as variables or more widely in group_vars.
   *node_labels* must be defined as a dict:

roles/kubernetes/node/templates/kubelet.kubeadm.env.j2

@@ -28,6 +28,9 @@ KUBELET_HOSTNAME="--hostname-override={{ kube_override_hostname }}"
 {% endif %}
 --enforce-node-allocatable={{ kubelet_enforce_node_allocatable }} \
 --client-ca-file={{ kube_cert_dir }}/ca.crt \
+{% if kubelet_rotate_certificates %}
+--rotate-certificates \
+{% endif %}
 --pod-manifest-path={{ kube_manifest_dir }} \
 {% if kube_version is version('v1.12.0', '<') %}
 --cadvisor-port={{ kube_cadvisor_port }} \

roles/kubespray-defaults/defaults/main.yaml

@@ -308,6 +308,10 @@ kubelet_authentication_token_webhook: true
 # When enabled, access to the kubelet API requires authorization by delegation to the API server
 kubelet_authorization_mode_webhook: false
 
+# kubelet uses certificates for authenticating to the Kubernetes API
+# Automatically generate a new key and request a new certificate from the Kubernetes API as the current certificate approaches expiration
+kubelet_rotate_certificates: true
+
 ## v1.11 feature
 feature_gate_v1_11:
   - "PersistentLocalVolumes={{ local_volume_provisioner_enabled | string }}"