Update the CA used by the cluster

kjackal · August 18, 2020, 11:24am

A self-signed CA is created by MicroK8s at install time. Starting from the 1.19 release, it is possible to refresh that CA with an auto-generated one or to configure Kubernetes to use a user-provided one. This functionality is provided via the microk8s refresh-certs command.

Using the `refresh-certs` command

To prove a CA you have to:

sudo microk8s refresh-certs ./ca-path/

The ca-path above is the directory containing the two files ca.crt and ca.key.

To let MicroK8s replace the CA with an auto-generated one:

sudo microk8s refresh-certs

To undo the last operation you can use the -u flag:

sudo microk8s refresh-certs -u

To check the expiration time of the installed CA:

sudo microk8s refresh-certs -c

Known limitations

An update of the CA should be made in a cluster without any workloads. Auxiliary certificates and credentials make use of the CA, so updating the CA in a live cluster will have unpredictable effects.
In a multi-node setup, nodes will need to leave and rejoin the cluster in order for new certificates to properly propagate.

canerbis · March 30, 2022, 5:41am

Thank you for your proceduers.
I executed the refresh-certs command with your proceduers.
There were various certifcates at /var/snap/microk8s/current/certs.

I checked the certifcates for expried period.
But It was not changed the only kubelet.crt.

As far as I know, kubelet.crt is rotated aotomactically by apiserver on k8s.
But I can’t find the configuration of kubelet.crt for rotation on microk8s.
If you know about it , Please Let me Know Where the configuration of kubelet.crt is.

I need to explain the configuration of kubelet.crt for my client

Best Regard
Canerbis.

canerbis · November 18, 2022, 2:07am

I have found about renewing kubelet.crt

check if kubelet.crt is expired

echo -n | openssl s_client -connect localhost:10250 2>&1 | sed -ne ‘/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p’ | openssl x509 -text -noout | grep -A 2 Validity

Auto-rotate Setting about kubele.crt

vi /var/snap/microk8s/current/args/kubelet

Adding below 3 lines

–rotate-certificates=true
–rotate-server-certificates=true
–tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

micok8s stop;microk8s start

microk8s kubectl get csr
microk8s kubectl certificate approve

check if kubelet.crt is renewed

echo -n | openssl s_client -connect localhost:10250 2>&1 | sed -ne ‘/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p’ | openssl x509 -text -noout | grep -A 2 Validity

cd /var/snap/microk8s/current/certs
ls
kubelet-client-current.pem
kubelet-server-current.pem

PS: If i am wrong, Let me know

darwin1357 · March 30, 2024, 11:11pm

Excellent post! Hugh time saver.

Topic		Replies	Views
Renew Certificate in MicroK8S Cluster microk8s microk8s	3	10507	August 2, 2022
Renewing Kubernetes cluster certificates General Discussions	0	1779	August 8, 2019
2 node cluster with both proxy client and server certificate expired, what to do next? microk8s network	0	302	November 17, 2023
Question about certificate rotation and renewal General Discussions	1	527	December 15, 2019
Auto renew kubelet certificate and check it exparation General Discussions	1	954	May 27, 2021