"certChain": []
    },
    {
      "identity": "spiffe://cluster.local/ns/istio-system/sa/istiod",
      "state": "Unavailable: signing gRPC error (The service is currently unavailable): error trying to connect: TLS handshake failed: cert verification failed - unable to get local issuer certificate [CERTIFICATE_VERIFY_FAILED]",
      "certChain": []
    }
  ]

	"github.com/minio/minio/internal/config/identity/openid"
	idplugin "github.com/minio/minio/internal/config/identity/plugin"
	xtls "github.com/minio/minio/internal/config/identity/tls"
	"github.com/minio/minio/internal/config/policy/opa"
	polplugin "github.com/minio/minio/internal/config/policy/plugin"
	xhttp "github.com/minio/minio/internal/http"
	"github.com/minio/minio/internal/jwt"

	}

	s.adm, err = madmin.New(s.endpoint, s.accessKey, s.secretKey, s.secure)
	if err != nil {
		c.Fatalf("error creating admin client: %v", err)
	}
	// Set transport, so that TLS is handled correctly.
	s.adm.SetCustomTransport(s.TestSuiteCommon.client.Transport)

	s.client, err = minio.New(s.endpoint, &minio.Options{
		Creds:     credentials.NewStaticV4(s.accessKey, s.secretKey, ""),

Также мы заметили, что обычно для работы с HTTPS вашему приложению нужен **дополнительный** компонент - **прокси-сервер завершения работы TLS**.

И если прокси-сервер не умеет сам **обновлять сертификаты HTTPS**, то нужен ещё один компонент для этого действия.

### Примеры инструментов для работы с HTTPS

Extensions API group): Kubernetes can schedule a service (such as a logging
agent) that runs one, and only one, pod per node.
     * TLS and L7 support (Ingress API (Beta) in the Extensions API group): Kubernetes
is now easier to integrate into custom networking environments by supporting
TLS for secure communication and L7 http-based traffic routing.
     * Graceful Node Shutdown (aka drain) - The new “kubectl drain” command gracefully

   * http://code.google.com/p/android/issues/detail?id=38817
   */
  private fun testClientConfiguredGzipContentEncodingAndConnectionReuse(
    transferKind: TransferKind,
    tls: Boolean,
  ) {
    if (tls) {
      val socketFactory = handshakeCertificates.sslSocketFactory()
      val hostnameVerifier = RecordingHostnameVerifier()
      server.useHttps(socketFactory)
      client =

   * long, streams created while we await the pong will reuse broken connections and inevitably
   * fail. If it is too short, slow connections will be marked as failed and extra TCP and TLS
   * handshakes will be required.
   *
   * The deadline is currently hardcoded. We may make this configurable in the future!
   */
  internal fun sendDegradedPingLater() {
    this.withLock {

pkg crypto/tls, const TLS_RSA_WITH_AES_128_CBC_SHA uint16
pkg crypto/tls, const TLS_RSA_WITH_RC4_128_SHA uint16
pkg crypto/tls, const VerifyClientCertIfGiven ClientAuthType
pkg crypto/tls, func Client(net.Conn, *Config) *Conn
pkg crypto/tls, func Dial(string, string, *Config) (*Conn, error)
pkg crypto/tls, func Listen(string, string, *Config) (net.Listener, error)

    * --boot_id_file
    * --container_hints
    * --containerd
    * --docker
    * --docker_env_metadata_whitelist
    * --docker_only
    * --docker-tls
    * --docker-tls-ca
    * --docker-tls-cert
    * --docker-tls-key
    * --enable_load_reader
    * --event_storage_age_limit
    * --event_storage_event_limit
    * --global_housekeeping_interval
    * --google-json-key

* `kubeadm join` is now blocking on the kubelet performing the TLS Bootstrap properly. Earlier, `kubeadm join` only did the discovery part and exited successfully without checking that the kubelet actually started properly and performed the TLS bootstrap correctly. Now, as kubeadm runs some post-join steps (for example, annotating the Node API object with the CRISocket), `kubeadm join` is now waiting for the kubelet to perform the TLS Bootstrap, and then uses that credential to perform further actions....