A self-signed CA is created by MicroK8s at install time. Starting from the 1.19 release, it is possible to refresh that CA with an auto-generated one or to configure Kubernetes to use a user-provided one. This functionality is provided via the
microk8s refresh-certs command.
- To prove a CA you have to:
sudo microk8s refresh-certs ./ca-path/
ca-path above is the directory containing the two files
- To let MicroK8s replace the CA with an auto-generated one:
sudo microk8s refresh-certs
- To undo the last operation you can use the
sudo microk8s refresh-certs -u
- To check the expiration time of the installed CA:
sudo microk8s refresh-certs -c
- An update of the CA should be made in a cluster without any workloads. Auxiliary certificates and credentials make use of the CA, so updating the CA in a live cluster will have unpredictable effects.
- In a multi-node setup, nodes will need to leave and rejoin the cluster in order for new certificates to properly propagate.