Production microk8s certificate best practices?

At a high level, I am trying to figure out best practices for certificates when using microk8s in a “production style” setup.

One area of concern is the use of a CA key on a live machine. I was only able to find a few small sections on how microk8s handles certificates and it didn’t sound like there was much room for flexibility here.

There is one sentence that explains you can provide your own CA cert and key in the refresh-certs documentation. But that still implies running from a live machine (which I do not want to do).

For example when configuring my OpenVPN TLS auth I generated the CA and all identities in an offline airgapped PC and only copied the final identities and public certs to their end destinations. At no point was the CA key ever exposed or needed outside of this airgapped machine.

Based on what I can find it seems like this approach is not really supported by microk8s?

Can I still use microk8s but just do all my cert setup manually? If so, which microk8s commands and functionality might be impacted? Obviously refresh-certs would not work but is there anything else? And where should I put all my individual certs if I’m not relying on the refresh-certs command to do everything automagically for me?

Or am I being paranoid and causing more work for myself by wanting to have my CA airgapped? My understanding is that is the most secure practice for managing a CA. Maybe I am being crazy and there is a good reason I can’t find any microk8s docs around this issue?

Guess I’ll just use full kubernetes and no microk8s. I’ll probably learn more that way anyway.

As an example, this kubeadm page documents exactly what I was asking about. It seems like microk8s is missing an equivalent piece of documentation.

I will probably try to move forward with kubeadm.

hi. i can understand your fustration.
unless i did not get what you are trying to achieve, can you also try this https://microk8s.io/docs/addon-cert-manager

I appreciate the suggestion. Unfortunately I don’t think cert-manager is quite what I’m looking for.

I’m trying to manage the internal certificates used by the different kubernetes components (kublet, etcd, kube-apiserver) to authenticate with each other. These are the certificates managed by the microk8s refresh-certs command that I linked to in my original post.

AFAIK cert-manager is more about the certificates used by endpoint to establish trust via third party CA (like lets-encrypt). I will eventually need cert-manager, but I haven’t got that far yet.