When upgrading the cluster, it's a good idea to refresh certs that aren't controlled by either kubeadm (which get updated during the upgrade process) or maintain-kubeusers (user certs mostly). That means for the Prometheus server and the webhook controllers.
For the admission controller webhooks, rerun the get-cert.sh script similar to the doc, but do not bother the ca-bundle.sh script as that is no longer necessary at all except for local testing. That should inject the secret. To use the secret, delete the appropriate pods in the ingress-admission and registry-admission workspaces to restart them one at a time. Generally the README on the repos for these are the most authoritative docs if in doubt.
For the Prometheus ones, follow the doc on wikitech to recreate the certs.
Certs expire in a year, so they are probably getting old at this point.