I'd suggest adding information to Kubernetes and Helm Chart deployment tutorials, that internal Kubernetes certificates are valid for one year, thus when one year passes after deployment, certificates expire and every "kubectl" command fails with error:
"Unable to connect to the server: x509: certificate has expired or is not yet valid: current time 2023-XX-XXTXX:XX:XX+02:00 is after 2022-XX-XXTXX:XX:XXZ"
Most popular suggestion when Googling this error message is to issue commands:
"kubeadm certs check-expiration; kubeadm certs renew all", but in case of the Toolkit commands do not work, as Toolkit is deployed without using kubeadm.
What works is microk8s command:
"sudo microk8s refresh-certs"
It renews internal certificates and takes care of restarting associated services and pods (so there may be slight downtime of the deployed website).
We can verify, that certificates were renewed by checking creation dates of the certificates (.crt files):
"ls -lh /var/snap/microk8s/current/certs"
Or by checking expiration date in the certificates themselves:
"openssl x509 -enddate -noout -in /var/snap/microk8s/current/certs/front-proxy-client.crt
"openssl x509 -enddate -noout -in /var/snap/microk8s/current/certs/server.crt
I'd suggest adding information to Kubernetes and Helm Chart deployment tutorials, that internal Kubernetes certificates are valid for one year, thus when one year passes after deployment, certificates expire and every "kubectl" command fails with error: "Unable to connect to the server: x509: certificate has expired or is not yet valid: current time 2023-XX-XXTXX:XX:XX+02:00 is after 2022-XX-XXTXX:XX:XXZ"
Most popular suggestion when Googling this error message is to issue commands: "kubeadm certs check-expiration; kubeadm certs renew all", but in case of the Toolkit commands do not work, as Toolkit is deployed without using kubeadm.
What works is microk8s command: "sudo microk8s refresh-certs" It renews internal certificates and takes care of restarting associated services and pods (so there may be slight downtime of the deployed website).
We can verify, that certificates were renewed by checking creation dates of the certificates (.crt files): "ls -lh /var/snap/microk8s/current/certs" Or by checking expiration date in the certificates themselves: "openssl x509 -enddate -noout -in /var/snap/microk8s/current/certs/front-proxy-client.crt "openssl x509 -enddate -noout -in /var/snap/microk8s/current/certs/server.crt
Note. For some reason /var/snap/microk8s/current/certs/kubelet.crt is not renewed, but it seems this does not pose a problem, see: https://github.com/kubernetes/kubeadm/issues/2186