Permanently replacing API server certificates

12/7/2019

I have microK8S cluster, and expose the API server at my domain. The server.crt and server.key in /var/snap/microk8s/1079/certs need to be replaced with the ones that include my domain. Otherwise, as expected, i get the error:

Unable to connect to the server: x509: certificate is valid for kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster, kubernetes.default.svc.cluster.local, not mydonaim.com

With the help of cert-manager I have produced certificates and replaced them, my system works well.

Problem: every time server is restarted, server.crt and server.key are generated again in /var/snap/microk8s/1079/certs. My custom certs are deleted, making API server unreachable remotely. How can I stop the system from doing that all the time?

Workaround? Should I place my certificates elsewhere and edit config files like /var/snap/microk8s/1079/args/kube-controller-manager with the path to those certificates? Are those config files auto-replaced as well?

Cluster information:

  • Kubernetes version: 1.16.3
  • Cloud being used: Bare metal, single-node
  • cluster Installation method: Ubuntu Server with Snaps
  • Host OS: Ubuntu 18.04.3 LTS
-- Vladimir Akopyan
kubernetes
kubernetes-apiserver
microk8s
ssl

1 Answer

12/9/2019

It looks like there is an existing issue that describes copying and modifying the /var/snap/microk8s/current/certs/csr.conf.template to include any extra IP or DNS entries for the generated certificates

-- mdaniel
Source: StackOverflow