* Allows extension API server to dynamically discover the requestheader CA certificate when the core API server doesn't use certificate based authentication for it's clients ([#66394](https://github.com/kubernetes/kubernetes/pull/66394), [@rtripat](https://github.com/rtripat))



# v1.11.2

				"application/x-uc2-compressed",
				"application/x-ustar",
				"application/x-vmdk",
				"application/x-wais-source",
				"application/x-webarchive",
				"application/x-x509-ca-cert",
				"application/x-xfig",
				"application/x-xpinstall",
				"application/x-xmind",
				"application/x-xz",
				"application/x-zoo",
				"application/x400-bp",
				"application/xcap-att+xml",

- Kubeadm: during execution of the "check expiration" command, treat the etcd CA as external if there is a missing etcd CA key file (etcd/ca.key) and perform the proper validation on certificates signed by...

- Kubeadm: warn but do not error out on missing "ca.key" files for root CA, front-proxy CA and etcd CA, during "kubeadm join --control-plane" if the user has provided all certificates, keys and kubeconfig files which require signing with the given CA keys. ([#94988](https://github.com/kubernetes/kubernetes/pull/94988),...

	return testServer
}

// testServerCertPEM and testServerKeyPEM are generated by
//  https://golang.org/src/crypto/tls/generate_cert.go
//    $ go run generate_cert.go -ca --host 127.0.0.1
// The generated certificate contains IP SAN, that way we don't need
// to enable InsecureSkipVerify in TLS config

// Starts the test server and returns the TestServer with TLS configured instance.

053D          ; mapped                 ; 056D          # 1.1  ARMENIAN CAPITAL LETTER XEH
053E          ; mapped                 ; 056E          # 1.1  ARMENIAN CAPITAL LETTER CA
053F          ; mapped                 ; 056F          # 1.1  ARMENIAN CAPITAL LETTER KEN
0540          ; mapped                 ; 0570          # 1.1  ARMENIAN CAPITAL LETTER HO

- The extension API server can now dynamically discover the requestheader CA certificate when the core API server doesn't use certificate based authentication for it's clients. ([#66394](https://github.com/kubernetes/kubernetes/pull/66394), [@rtripat](https://github.com/rtripat))

### SIG Autoscaling

* genericapiserver: cut off certificates api dependency ([#39947](https://github.com/kubernetes/kubernetes/pull/39947), [@sttts](https://github.com/sttts))
* genericapiserver: extract CA cert from server cert and SNI cert chains ([#39022](https://github.com/kubernetes/kubernetes/pull/39022), [@sttts](https://github.com/sttts))

- The DynamicKubeletConfig and SelfHosting functionality was moved outside of `kubeadm init` and feature gates and is now exposed under `kubeadm alpha`.
- Kubeadm init phase certs now support the `--csr-only` option, simplifying custom CA creation.
- `kubeadm join --experimental-control-plane` now automatically adds a new etcd member for `local etcd` mode, further simplifying required tasks for HA clusters setup.

</tr>
<tr>
<td height="26" style="height:26;padding:0;margin:0;line-height:1px;font-size:1px;"></td>
</tr>
</tbody>
</table>
<!--//////////////////////////////////////////////--> </td>