kubeadm do not rotate kubelet certificate on master nodes

[LuckySB]

FEATURE REQUEST

Versions

kubeadm version
v1.15.0 and above

What happened?

Kubeadm upgrade do not rotate kubelet certificate on master nodes.
On these nodes, the certificate is in /etc/kubernetes/kubelet.conf

and when updating the cluster it is also necessary to rotate it as control plane certificates in
controller-manager.conf and scheduler.conf

[neolit123]

the contents of the /etc/kubernetes/kubelet.conf on the primary CP node (the one where you called init) and the secondary ones, those that joined later are different.

for the primary we do not support rotation currently and that's a bug tracked here:
#1753

what are the contents of the kubelet.conf on secondary nodes in your case?

[neolit123]

also as can be seen here kubeadm should be able to rotate the .conf certs on upgrade:
https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#check-certificate-expiration

bug there is another bug where you have to pass --certificate-renewal:
#1818

[LuckySB]

the contents of the /etc/kubernetes/kubelet.conf on the primary CP node (the one where you called init) and the secondary ones, those that joined later are different.

You are right, this is my mistake, the bootstrap TLS procedure is used on the added control plane nodes.

for the primary we do not support rotation currently and that's a bug tracked here:
#1753

my fix. Rotate kublet certificate on primary CP node by command
kubeadm alpha kubeconfig user --client-name system:node:master-1.domain.tld --org system:nodes >kubelet.conf

Looking forward to accepting kubernetes/kubernetes#83339