Add PKI valid certificate to Kubernetes API

Here are the instructions to add a valid PKI certificate to Kubernetes API:

1. Request a valid certificate (k8s.cert, k8s.key)

2. Copy the certificate and private key to kubernetes-load-balancer, in the files:

   /srv/kubernetes/server.crt
   /srv/kubernetes/server.key
   

These files are used by nginx (configuration file /etc/nginx/sites-available/apilb)

3. restart nginx service:

   sudo service nginx restart
   

Once you have installed the new certificate, edit the config file removing the line certificate-authority-data and replace the server IP address with the kubernetes-api hostname.

Modify kubeconfig on worker nodes

After replacing the certificate we need to update the kubelet configuration on all worker nodes. This is done by issuing the following commands:

juju run --application kubernetes-worker "sudo kubectl config -v8 --kubeconfig=/root/cdk/kubeconfig set-cluster juju-cluster --server=https://k8s-api-pa1.cloud.garr.it:443 --certificate-authority=/dev/null --embed-certs=true"
juju run --application kubernetes-worker "sudo kubectl config -v8 --kubeconfig=/root/cdk/kubeproxyconfig set-cluster juju-cluster --server=https://k8s-api-pa1.cloud.garr.it:443 --certificate-authority=/dev/null --embed-certs=true"

juju run --application kubernetes-worker "sudo snap set kube-proxy master=https://k8s-api-pa1.cloud.garr.it:443"

juju run --application kubernetes-worker "sudo snap restart kubelet"
juju run --application kubernetes-worker "sudo snap restart kube-proxy"

N.B. Remeber to run the commands on all kubernetes-worker clusters (e.g. GPU workers etc)!