In this example, we alreadyhave an HA cluster using an API proxy at 10.98.83.105:6443
On a working master node, generate and upload new control plane certs. These will be good for two hours. Take note of the cert key:
sudo kubeadm init phase upload-certs --upload-certs
[upload-certs] Storing the certificates in Secret "kubeadm-certs" in the "kube-system" Namespace
[upload-certs] Using certificate key:
50a7a77ddad29d95f8a7fb3249ebea01ec50e38d9aae64a8d8d3669276b71783
Generate a new join command
sudo kubeadm token create --print-join-command
kubeadm join 10.98.83.105:6443 --token jl42pk.knjelywrgiry3uru --discovery-token-ca-cert-hash sha256:66bb05f3c0a8f3ecc8c0db3401f068d36a197f3c852bbb8e94ebaf3411f3881e
Now you will use the output above build a command on the new master to join the cluster using the information from above. Note that you may find it easier to build this command in a text file, then run it via sh.
kubeadm join 10.98.83.105:6444 --token jl42pk.knjelywrgiry3uru \
--discovery-token-ca-cert-hash sha256:66bb05f3c0a8f3ecc8c0db3401f068d36a197f3c852bbb8e94ebaf3411f3881e \
--certificate-key 50a7a77ddad29d95f8a7fb3249ebea01ec50e38d9aae64a8d8d3669276b71783 \ # Generated in init phase upload certs step above
--control-plane
You are adding the --control-plane flag and the --certificate-key arguments to the kubeadm join command generated earlier.
After a lot of verbiage, the new master will join the cluster. Verify this by running kubectl get nodes.