Is there a need to restart the etcd pod/container after kubeadm certs renew

[geotransformer]

Hi, team
We use ETCD 3.3.17-0 with k8s v1.16.2.
For k8s cluster with local or external ETCD by kubeadm, kubeadm certs renew can renew the following certs for etcd. Is there a need to restart the etcd pod? it seems not needed any more with code change by Certificate Rotation #7576

/etc/kubernetes/pki/apiserver-etcd-client.crt
/etc/kubernetes/pki/etcd/healthcheck-client.crt
/etc/kubernetes/pki/etcd/peer.crt
/etc/kubernetes/pki/etcd/server.crt

Certificate Rotation #7576

Documentation: explain TLS changes #8798

[geotransformer]

Is there any documentation or user guide about this?

[geotransformer]

Hi, team
We use ETCD 3.3.17-0 with k8s v1.16.2.
For k8s cluster with local or external ETCD by kubeadm, kubeadm certs renew can renew the following certs for etcd. Is there a need to restart the etcd pod? it seems not needed any more with code change by Certificate Rotation #7576

/etc/kubernetes/pki/apiserver-etcd-client.crt
/etc/kubernetes/pki/etcd/healthcheck-client.crt
/etc/kubernetes/pki/etcd/peer.crt
/etc/kubernetes/pki/etcd/server.crt

Certificate Rotation #7576

Documentation: explain TLS changes #8798

Found this in security guide
https://etcd.io/docs/v3.4.0/op-guide/security/

Notes for TLS authentication
Since v3.2.0, TLS certificates get reloaded on every client connection. This is useful when replacing expiry certs without stopping etcd servers; it can be done by overwriting old certs with new ones. Refreshing certs for every connection should not have too much overhead, but can be improved in the future, with caching layer. Example tests can be found here.