Update the CA used by the cluster

kjackal · August 18, 2020, 11:24am

A self-signed CA is created by MicroK8s at install time. Starting from the 1.19 release, it is possible to refresh that CA with an auto-generated one or to configure Kubernetes to use a user-provided one. This functionality is provided via the microk8s refresh-certs command.

Using the `refresh-certs` command

To prove a CA you have to:

sudo microk8s refresh-certs ./ca-path/

The ca-path above is the directory containing the two files ca.crt and ca.key.

To let MicroK8s replace the CA with an auto-generated one:

sudo microk8s refresh-certs

To undo the last operation you can use the -u flag:

sudo microk8s refresh-certs -u

To check the expiration time of the installed CA:

sudo microk8s refresh-certs -c

Known limitations

An update of the CA should be made in a cluster without any workloads. Auxiliary certificates and credentials make use of the CA, so updating the CA in a live cluster will have unpredictable effects.
In a multi-node setup, nodes will need to leave and rejoin the cluster in order for new certificates to properly propagate.

canerbis · March 30, 2022, 5:41am

Thank you for your proceduers.
I executed the refresh-certs command with your proceduers.
There were various certifcates at /var/snap/microk8s/current/certs.

I checked the certifcates for expried period.
But It was not changed the only kubelet.crt.

As far as I know, kubelet.crt is rotated aotomactically by apiserver on k8s.
But I can’t find the configuration of kubelet.crt for rotation on microk8s.
If you know about it , Please Let me Know Where the configuration of kubelet.crt is.

I need to explain the configuration of kubelet.crt for my client

Best Regard
Canerbis.

canerbis · November 18, 2022, 2:07am

I have found about renewing kubelet.crt

check if kubelet.crt is expired

echo -n | openssl s_client -connect localhost:10250 2>&1 | sed -ne ‘/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p’ | openssl x509 -text -noout | grep -A 2 Validity

Auto-rotate Setting about kubele.crt

vi /var/snap/microk8s/current/args/kubelet

Adding below 3 lines

–rotate-certificates=true
–rotate-server-certificates=true
–tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

micok8s stop;microk8s start

microk8s kubectl get csr
microk8s kubectl certificate approve

check if kubelet.crt is renewed

echo -n | openssl s_client -connect localhost:10250 2>&1 | sed -ne ‘/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p’ | openssl x509 -text -noout | grep -A 2 Validity

cd /var/snap/microk8s/current/certs
ls
kubelet-client-current.pem
kubelet-server-current.pem

PS: If i am wrong, Let me know

darwin1357 · March 30, 2024, 11:11pm

Excellent post! Hugh time saver.

Adam_Esslinger · July 31, 2024, 4:29pm

these lines for enabling auto renewal. Do these stanzas go on the first controller only, or all controllers, or all controllers and all worker nodes?

Topic		Replies	Views
Renew Certificate in MicroK8S Cluster microk8s microk8s	3	14958	August 2, 2022
Renewing Kubernetes cluster certificates General Discussions	0	1990	August 8, 2019
How to renew ca.crt (signing authority) in Kubernetes masters? General Discussions	0	111	May 2, 2024
Good practices in handling CA (certificate authority) microk8s security	0	792	December 26, 2021
2 node cluster with both proxy client and server certificate expired, what to do next? microk8s network	0	427	November 17, 2023