Updating Kubeconfig with CA Certificate

After configuring a custom CA certificate for your ARO cluster, you need to manually update your kubeconfig file to include the CA certificate. There is no automated way to do this.

Steps to Update Kubeconfig

1. Extract the existing kubeconfig

oc config view --raw > kubeconfig

2. Encode the CA certificate

Base64 encode your CA certificate:

cat ca.crt | base64 -w 0

On Windows PowerShell:

[Convert]::ToBase64String([IO.File]::ReadAllBytes("ca.crt"))

3. Update the kubeconfig

Replace <base64-encoded-ca-cert> in the kubeconfig with the base64-encoded CA certificate from the previous step.

Example Kubeconfig:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: <base64-encoded-ca-cert>
    server: https://api.yourdomain:6443
  name: aro
contexts:
- context:
    cluster: aro
    user: kubeadmin
  name: aro
current-context: aro
kind: Config
preferences: {}
users:
- name: kubeadmin
  user:
    token: <kubeadmin-token>

ArgoCD Integration (Optional)

If you need to configure ArgoCD to connect to this ARO cluster:

1. Create or Update the Secret in ArgoCD Namespace

apiVersion: v1
kind: Secret
metadata:
  name: aro-cluster-secret
  namespace: argocd
  labels:
    argocd.argoproj.io/secret-type: cluster
data:
  name: xxx  # base64 of "aro-cluster"
  server: xxx  # base64 of "https://api.yourdomain.com:6443"
  config: <base64-encoded-json-config>  # base64 of the JSON config including CA certificate

2. Apply the Secret

kubectl apply -f secret.yaml

3. Verify ArgoCD Cluster Configuration

argocd cluster list
kubectl logs -n argocd deploy/argocd-server

Notes

• The kubeconfig update must be done manually whenever you change the CA certificate
• Make sure to keep a backup of your original kubeconfig before making changes
• The CA certificate ensures secure communication with the API server