- Kubeadm: during execution of the "check expiration" command, treat the etcd CA as external if there is a missing etcd CA key file (etcd/ca.key) and perform the proper validation on certificates signed by the etcd CA. Additionally, make sure that the CA for all...

- Updated the control plane's trust anchor publisher to create and manage a new ClusterTrustBundle object, associated with the `kubernetes.io/kube-apiserver-serving` X.509 certificate signer. This ClusterTrustBundle contains a PEM bundle in its payload that you can use to verify kube-apiserver serving certificates. ([#127326](https://github.com/kubernetes/kubernetes/pull/127326), [@stlaz](https://github.com/stlaz)) [SIG API Machinery, Apps, Auth, Cluster Lifecycle and Testing]

- Fix an error when using external etcd but storing etcd certificates in the same folder with the same name used by kubeadm for local etcd certificates; for an older version of kubeadm, the workaround is to avoid file name used by kubeadm for local etcd. ([#80867](https://github.com/kubernetes/kubernetes/pull/80867), [@fabriziopandini](https://github.c...

- Kubeadm: removed the restriction that the `ca.crt` can only contain one certificate. If there is more than one certificate in the `ca.crt` file, kubeadm will pick the first one by default. ([#107327](https://github.com/kubernetes/kubernetes/pull/107327), [@SataQiu](https://github.com/SataQiu))

- Fixes an issue where the vsphere cloud provider will not trust a certificate if:
  - The issuer of the certificate is unknown (x509.UnknownAuthorityError)
  - The requested name does not match the set of authorized names (x509.HostnameError)

# Search Engine

# The type of search engine backend (e.g., default, opensearch).
search_engine.type=default
# The URL of the search engine HTTP endpoint.
search_engine.http.url=http://localhost:9201
# Path to SSL certificate authorities for secure HTTP connections.
search_engine.http.ssl.certificate_authorities=
# Username for authenticating to the search engine.
search_engine.username=
# Password for authenticating to the search engine.

- Kubeadm: make etcd pod request 100m CPU,...

Maintenant, du point de vue d'un développeur, voici plusieurs choses à avoir en tête en pensant au HTTPS :

* Pour le HTTPS, le serveur a besoin de "certificats" générés par une tierce partie.
    * Ces certificats sont en fait acquis auprès de la tierce partie, et non "générés".
* Les certificats ont une durée de vie.
    * Ils expirent.
    * Puis ils doivent être renouvelés et acquis à nouveau auprès de la tierce partie.

- Fixes an issue where the vsphere cloud provider will not trust a certificate if:
  - The issuer of the certificate is unknown (x509.UnknownAuthorityError)
  - The requested name does not match the set of authorized names (x509.HostnameError)

    <glob pattern="*.acc"/>
  </mime-type>
  <mime-type type="application/vnd.amiga.ami">
    <glob pattern="*.ami"/>
  </mime-type>
  <mime-type type="application/vnd.anser-web-certificate-issue-initiation">
    <glob pattern="*.cii"/>
  </mime-type>
  <mime-type type="application/vnd.anser-web-funds-transfer-initiation">
    <glob pattern="*.fti"/>
  </mime-type>