Update apiserver certificates for HA k8s cluster

Question

I have HA k8s cluster that was created by kubeadm. I would like to update API server certificate to add additional SANs. For this purpose I followed some steps described in another post, but what I did for HA cluster:

Removed API server certificates on all control-plane nodes
Retrieved current kubeadm configmap

kubectl get configmap kubeadm-config \
  --namespace kube-system \
  --output jsonpath={{ .data.ClusterConfiguration }}

Extended it with necessary configuration part

apiServer:
  certSANs:
    - localhost
    - 127.0.0.1

Generated new certificates with updated configuration on all control-plane nodes

kubeadm init phase certs apiserver --config <config_path>

Restarted API server container on all control-plane nodes
Updated in-cluster configuration

kubeadm init phase upload-config kubeadm --config <config_path>

The question is if these steps are correct or there is another way that is more simple?

score 3 · Accepted Answer · answered Aug 17 '20 at 14:40

The fastest way I come up with is this:

# remove current apiserver certificates
sudo rm /etc/kubernetes/pki/apiserver.*

# generate new certificates
sudo kubeadm init phase certs apiserver --apiserver-cert-extra-sans=localhost,127.0.0.1

Remember that you need to run it on all control-plain nodes.

Update apiserver certificates for HA k8s cluster

1 Answers1