When the certificate for a k8s manager account has expired, create a new key request for the same CN and sign it against the k8s CA:
#!/bin/bash
# Run this from the K8s controller where the platform's CA keys are located
cd ~/kubectl_cert/
# Get the current year
current_year=$(date +%Y)
# Generate private key
openssl genpkey -algorithm RSA -out kubectl-${current_year}-k8admin-key.pem
# Generate CSR
openssl req -new -key kubectl-${current_year}-k8admin-key.pem -out kubectl-${current_year}-k8admin.csr -subj "/O=system:masters/CN=kubernetes-admin"
# Sign the CSR to create a certificate
openssl x509 -req -in kubectl-${current_year}-k8admin.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out kubectl-${current_year}-k8admin-cert.pem -days 365 -extensions v3_req
# Check expiry is in future
openssl x509 -in kubectl-${current_year}-k8admin-cert.pem -noout -enddate
# Update kubeconfig with new credentials
kubectl config set-credentials kubernetes-admin --client-certificate=~/kubectl_cert/kubectl-${current_year}-k8admin-cert.pem --client-key=~/kubectl_cert/kubectl-${current_year}-k8admin-key.pem