Update the CA used by the cluster

A self-signed CA is created by MicroK8s at install time. Starting from the 1.19 release, it is possible to refresh that CA with an auto-generated one or to configure Kubernetes to use a user-provided one. This functionality is provided via the microk8s refresh-certs command.

Using the refresh-certs command

  • To prove a CA you have to:
sudo microk8s refresh-certs ./ca-path/

The ca-path above is the directory containing the two files ca.crt and ca.key.

  • To let MicroK8s replace the CA with an auto-generated one:
sudo microk8s refresh-certs
  • To undo the last operation you can use the -u flag:
sudo microk8s refresh-certs -u
  • To check the expiration time of the installed CA:
sudo microk8s refresh-certs -c

Known limitations

  • An update of the CA should be made in a cluster without any workloads. Auxiliary certificates and credentials make use of the CA, so updating the CA in a live cluster will have unpredictable effects.
  • In a multi-node setup, nodes will need to leave and rejoin the cluster in order for new certificates to properly propagate.
2 Likes

Thank you for your proceduers.
I executed the refresh-certs command with your proceduers.
There were various certifcates at /var/snap/microk8s/current/certs.

I checked the certifcates for expried period.
But It was not changed the only kubelet.crt.

As far as I know, kubelet.crt is rotated aotomactically by apiserver on k8s.
But I can’t find the configuration of kubelet.crt for rotation on microk8s.
If you know about it , Please Let me Know Where the configuration of kubelet.crt is.

I need to explain the configuration of kubelet.crt for my client

Best Regard
Canerbis.

I have found about renewing kubelet.crt

check if kubelet.crt is expired

echo -n | openssl s_client -connect localhost:10250 2>&1 | sed -ne ‘/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p’ | openssl x509 -text -noout | grep -A 2 Validity

Auto-rotate Setting about kubele.crt

vi /var/snap/microk8s/current/args/kubelet

Adding below 3 lines

–rotate-certificates=true
–rotate-server-certificates=true
–tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

micok8s stop;microk8s start

microk8s kubectl get csr
microk8s kubectl certificate approve

check if kubelet.crt is renewed

echo -n | openssl s_client -connect localhost:10250 2>&1 | sed -ne ‘/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p’ | openssl x509 -text -noout | grep -A 2 Validity

cd /var/snap/microk8s/current/certs
ls
kubelet-client-current.pem
kubelet-server-current.pem

PS: If i am wrong, Let me know

Excellent post! Hugh time saver.

1 Like

these lines for enabling auto renewal. Do these stanzas go on the first controller only, or all controllers, or all controllers and all worker nodes?