"application/pics-rules",
				"application/pidf+xml",
				"application/pidf-diff+xml",
				"application/pkcs10",
				"application/pkcs7-mime",
				"application/pkcs7-signature",
				"application/pkix-cert",
				"application/pkix-crl",
				"application/pkix-pkipath",
				"application/pkixcmp",
				"application/pls+xml",
				"application/poc-settings+xml",
				"application/postscript",

* genericapiserver: cut off certificates api dependency ([#39947](https://github.com/kubernetes/kubernetes/pull/39947), [@sttts](https://github.com/sttts))
* genericapiserver: extract CA cert from server cert and SNI cert chains ([#39022](https://github.com/kubernetes/kubernetes/pull/39022), [@sttts](https://github.com/sttts))

* kubeadm: add back `--cert-dir` option for `kubeadm init phase certs sa` ([#73239](https://github.com/kubernetes/kubernetes/pull/73239), [@mattkelly](https://github.com/mattkelly))

- The CSR signing cert/key pairs will be reloaded from disk like the kube-apiserver cert/key pairs ([#86816](https://github.com/kubernetes/kubernetes/pull/86816), [@deads2k](https://github.com/deads2k)) [SIG API Machinery, Apps and Auth]

equality-based selector in 1.1).
  * Running against a secured etcd requires these flags to be passed to
kube-apiserver (instead of --etcd-config):
     * --etcd-certfile, --etcd-keyfile (if using client cert auth)
     * --etcd-cafile (if not using system roots)
  * As part of preparation in 1.2 for adding support for protocol buffers (and the
direct YAML support in the API available today), the Content-Type and Accept

    * 証明書の更新を自動的に処理 ✨
* Caddy
    * 証明書の更新を自動的に処理 ✨
* Nginx
    * 証明書更新のためにCertbotのような外部コンポーネントを使用
* HAProxy
    * 証明書更新のためにCertbotのような外部コンポーネントを使用
* Nginx のような Ingress Controller を持つ Kubernetes
    * 証明書の更新に cert-manager のような外部コンポーネントを使用
* クラウド・プロバイダーがサービスの一部として内部的に処理（下記を参照👇）

もう1つの選択肢は、HTTPSのセットアップを含んだより多くの作業を行う**クラウド・サービス**を利用することです。 このサービスには制限があったり、料金が高くなったりする可能性があります。しかしその場合、TLS Termination Proxyを自分でセットアップする必要はないです。

    <glob pattern="*.webarchive"/>
  </mime-type>

  <mime-type type="application/x-x509-cert">
    <alias type="application/x-x509-ca-cert"/>
    <alias type="application/x-x509-user-cert"/>
    <glob pattern="*.crt"/>
  </mime-type>
  <mime-type type="application/x-x509-cert;format=pem">
    <sub-class-of type="application/x-x509-cert"/>
    <glob pattern="*.pem"/>
    <magic priority="50">

import java.net.SocketTimeoutException
import java.net.URI
import java.net.URLConnection
import java.net.UnknownHostException
import java.security.KeyStore
import java.security.cert.CertificateException
import java.security.cert.X509Certificate
import java.time.Duration
import java.util.Arrays
import java.util.EnumSet
import java.util.Locale
import java.util.concurrent.TimeUnit

tes/pull/57902), [@kawych](https://github.com/kawych))

* On cluster provision or upgrade, kubeadm now generates certs and secures all connections to the etcd static-pod with mTLS. This includes the etcd serving cert, the etcd peer cert, and the apiserver etcd client cert. Flags and hostMounts are added to the etcd and apiserver static-pods to load these certs. For connections to etcd, https is now used in favor of http. ([#57415](https://github.com/kubernetes/kubernetes/pull/57415),...

credentials in the certificates directory as `kubelet-client.key` and `kubelet-client.crt`.  Subsequent certificates created by cert rotation were created in a combined PEM file that was atomically rotated as `kubelet-client-DATE.pem` in that directory, which meant clients relying on the `node.kubeconfig` generated by bootstrapping would never use a rotated cert.  The initial bootstrap certificate is now generated into the cert directory as a PEM file and symlinked to `kubelet-client-current.pem` so that...