A self-signed CA is created by MicroK8s at install time. Starting from the 1.19 release, it is possible to refresh that CA with an auto-generated one or to configure Kubernetes to use a user-provided one. This functionality is provided via the microk8s refresh-certs
command.
Using the refresh-certs
command
- To prove a CA you have to:
sudo microk8s refresh-certs ./ca-path/
The ca-path
above is the directory containing the two files ca.crt
and ca.key
.
- To let MicroK8s replace the CA with an auto-generated one:
sudo microk8s refresh-certs
- To undo the last operation you can use the
-u
flag:
sudo microk8s refresh-certs -u
- To check the expiration time of the installed CA:
sudo microk8s refresh-certs -c
Known limitations
- An update of the CA should be made in a cluster without any workloads. Auxiliary certificates and credentials make use of the CA, so updating the CA in a live cluster will have unpredictable effects.
- In a multi-node setup, nodes will need to leave and rejoin the cluster in order for new certificates to properly propagate.
2 Likes
Thank you for your proceduers.
I executed the refresh-certs command with your proceduers.
There were various certifcates at /var/snap/microk8s/current/certs.
I checked the certifcates for expried period.
But It was not changed the only kubelet.crt.
As far as I know, kubelet.crt is rotated aotomactically by apiserver on k8s.
But I can’t find the configuration of kubelet.crt for rotation on microk8s.
If you know about it , Please Let me Know Where the configuration of kubelet.crt is.
I need to explain the configuration of kubelet.crt for my client
Best Regard
Canerbis.
I have found about renewing kubelet.crt
check if kubelet.crt is expired
echo -n | openssl s_client -connect localhost:10250 2>&1 | sed -ne ‘/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p’ | openssl x509 -text -noout | grep -A 2 Validity
Auto-rotate Setting about kubele.crt
vi /var/snap/microk8s/current/args/kubelet
Adding below 3 lines
–rotate-certificates=true
–rotate-server-certificates=true
–tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
micok8s stop;microk8s start
microk8s kubectl get csr
microk8s kubectl certificate approve
check if kubelet.crt is renewed
echo -n | openssl s_client -connect localhost:10250 2>&1 | sed -ne ‘/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p’ | openssl x509 -text -noout | grep -A 2 Validity
cd /var/snap/microk8s/current/certs
ls
kubelet-client-current.pem
kubelet-server-current.pem
PS: If i am wrong, Let me know
Excellent post! Hugh time saver.
1 Like
these lines for enabling auto renewal. Do these stanzas go on the first controller only, or all controllers, or all controllers and all worker nodes?