The first step is to generate new certificates for each API server to include the new load balancer address in the SANs.
On the first primary:
kubectl -n kube-system edit configmap kubeadm-config. Set the control plane endpoint in the ClusterConfiguration yaml to the new load balancer address and add its ip/hostname to the certSANs list.
/opt/replicated/kubeadm.confto match the changes you made to the configmap.
kubeadm init phase certs apiserver --config /opt/replicated/kubeadm.conf
Before moving on to the remaining primaries, first, generate a new bootstrap token on the first primary with
kubeadm init phase bootstrap-token --config=/opt/replicated/kubeadm.conf
Then run these steps on each of the remote primaries:
/opt/replicated/kubeadm.confand update the token to the one just generated on the first primary.
kubeadm join phase control-plane-prepare certs apiserver --config=/opt/replicated/kubeadm.conf
Now it’s safe to tell all clients to use the new address:
kubectl -n kube-system edit configmap kube-proxyand change the server to the new address.
- Edit /etc/kubernetes/kubelet.conf on every node, changing the server to the new address.
- For all primaries, also update the server in /etc/kubernetes/admin.conf, /etc/kubernetes/scheduler.conf, and /etc/kubernetes/controller-manager.conf.