We want to be able to re-deploy our Kubernetes cluster at any time, for an emergency measure when everything is screwed up, or as an easy way to upgrade to a new Kubernetes version. We do that from scratch; in particular, /etc/kubernetes is wiped out. But this forces us to distribute new user certificates afterwards. However, the current ones should remain valid.
How do we do that? Store some files in /etc/kubernetes (surely not all of them) and copy them back to the cluster? If so, which files? And copy them back before or after the kubeadm init call? Or is it better to use one of the certificate-related arguments to kubeadm?
You can keep all certs in a different directory than the default directory /etc/kubernetes/pki.You do this before running kubeadm init.Now while running kubeadm init specify that directory by the --cert-dir flag or the certificatesDir field of kubeadm’s ClusterConfiguration.
Alternative option would be to skip the cert and config generation by specifying --skip-phases=certs,kubeconfig in kubeadm init.
At some point the certs will expire and you can then renew them kubeadm alpha certs renew
https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/