Update the CA used by the cluster

A self-signed CA is created by MicroK8s at install time. Starting from the 1.19 release, it is possible to refresh that CA with an auto-generated one or to configure Kubernetes to use a user-provided one. This functionality is provided via the microk8s refresh-certs command.

Using the refresh-certs command

  • To prove a CA you have to:
sudo microk8s refresh-certs ./ca-path/

The ca-path above is the directory containing the two files ca.crt and ca.key.

  • To let MicroK8s replace the CA with an auto-generated one:
sudo microk8s refresh-certs
  • To undo the last operation you can use the -u flag:
sudo microk8s refresh-certs -u
  • To check the expiration time of the installed CA:
sudo microk8s refresh-certs -c

Known limitations

  • An update of the CA should be made in a cluster without any workloads. Auxiliary certificates and credentials make use of the CA, so updating the CA in a live cluster will have unpredictable effects.
  • In a multi-node setup, nodes will need to leave and rejoin the cluster in order for new certificates to properly propagate.