It is cleared out at reboot.
It appears that only the file-name part of --tls-cert-file /
--tls-private-key-file is used and that the path is taken from
--cert-dir (which defaults to /var/run/kubernetes) so to make the path
stick we also add a --cert-dir