Generate new certificate First, we have to generate a private key: $ openssl genrsa -out ivnilv.pem and a certificate signing request: $ openssl req -new -key ivnilv.pem -out ivnilv.csr -subj "/CN=ivnilv" The common name of the certificate is important, since it defines the username of the new user. Signing the certificate The signing request needs to be base64 encoded , before submitting to the Kubernetes API. You can easily encode it using:
Check etcd-manager version Using kubectl: $ k -n kube-system get pod etcd-manager-main-ip-NODE-IP-ADDRESS -o yaml | grep "image:" image: kopeio/etcd-manager:3.0.20200429 According to the releases documentation version 3.0.20200428 brings a fix that renews expiring certificates in the cluster. However, the implementation of this as noted in github issue #309 Not a perfect fix, if you don’t restart things every now and then, they could still expire. But it’s at least closer and means if you do restart things, it will fix itself.