I have microK8S cluster, and expose the API server at my domain. The server.crt and server.key in /var/snap/microk8s/1079/certs need to be replaced with the ones that include my domain. Otherwise, as expected, i get the error:
Unable to connect to the server: x509: certificate is valid for kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster, kubernetes.default.svc.cluster.local, not mydonaim.com
With the help of cert-manager I have produced certificates and replaced them, my system works well.
Problem: every time server is restarted, server.crt and server.key are generated again in /var/snap/microk8s/1079/certs. My custom certs are deleted, making API server unreachable remotely. How can I stop the system from doing that all the time?
Workaround? Should I place my certificates elsewhere and edit config files like /var/snap/microk8s/1079/args/kube-controller-manager with the path to those certificates? Are those config files auto-replaced as well?
It looks like there is an existing issue that describes copying and modifying the /var/snap/microk8s/current/certs/csr.conf.template to include any extra IP or DNS entries for the generated certificates