Validate kubelet serving cert CN via host rewrite and DialTLSContext

[enj]

/kind feature
/triage accepted
/sig auth
/milestone v1.34

TODO

TODO

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: enj
Once this PR has been reviewed and has the lgtm label, please assign dchen1107 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• cmd/kube-apiserver/OWNERS
• cmd/kubeadm/OWNERS
• hack/OWNERS [enj]
• pkg/kubelet/OWNERS
• pkg/registry/core/node/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

@enj: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-kubernetes-linter-hints	fd49b05	link	false	/test pull-kubernetes-linter-hints
pull-kubernetes-unit	fd49b05	link	true	/test pull-kubernetes-unit
pull-kubernetes-e2e-kind-ipv6	fd49b05	link	true	/test pull-kubernetes-e2e-kind-ipv6
pull-kubernetes-conformance-kind-ga-only-parallel	fd49b05	link	true	/test pull-kubernetes-conformance-kind-ga-only-parallel
pull-kubernetes-e2e-kind	fd49b05	link	true	/test pull-kubernetes-e2e-kind
pull-kubernetes-integration	fd49b05	link	true	/test pull-kubernetes-integration
pull-kubernetes-verify	fd49b05	link	true	/test pull-kubernetes-verify

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[liggitt]

I don't love relying on this to get a unique transport without a test ... at least unit test this results in two distinct underlying http.Transport objects when set

edit: ha, just noticed you literally have a TODO to add a unit test for this

also, if you want to avoid trying to support HTTP_PROXY / HTTPS_PROXY in combination with this (since egress selector is available), you could set this to a no-op no-proxy function (just return nil always)

also, I think we only need to do this when config.TLSClientConfig.ValidateNodeName is set

[k8s-ci-robot]

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[sarthaksarthak9]

Hello @enj,

This PR has not seen updates for about 1.5 months since the last activity in early May, and it currently needs a rebase along with multiple failing tests. I’d like to check what’s the current status or if there’s anything we can do to help move this forward.

The code freeze for the 1.34 release starts at 02:00 UTC on Friday, 25th July 2025 (about 3 weeks from now). Please make sure this PR has both /lgtm and /approve labels, and that merge conflicts and test failures are resolved before the code freeze.

Thanks!

[sarthaksarthak9]

👋 Hello!
Appreciate all of your efforts with this PR to validate kubelet serving cert CN via host rewrite and DialTLSContext! Is the plan still to resolve it for the v1.34 release?

If so, a gentle reminder that the code freeze will start at 02:00 UTC Friday 25th July 2025 . Please make sure any PRs have both lgtm and approved labels ASAP, and file an Exception if you think this PR needs additional time.
Thanks!

Thanks!

[jenshu]

As code freeze has passed, I'm removing this from the 1.34 milestone.

/milestone clear