Overview
Kubernetes clusters use TLS certificates for:- API server authentication
- etcd cluster communication
- kubelet authentication
- Service account token signing
- Controller manager and scheduler secure connections
Supported Clusters
Certificate rotation is available for:- RKE2 clusters (ClusterDriverRke2)
- K3s clusters (ClusterDriverK3s)
- Clusters managed through CAPI RKEControlPlane
Cluster Action
The certificate rotation action is defined in/home/daytona/workspace/source/pkg/apis/management.cattle.io/v3/cluster_types.go:35:
Certificate Rotation Input
The rotation input type (defined in/home/daytona/workspace/source/pkg/apis/management.cattle.io/v3/cluster_types.go:372):
Service Options
Valid service names for selective rotation:etcd- etcd peer and client certificateskubelet- kubelet serving and client certificateskube-apiserver- API server serving certificatekube-proxy- kube-proxy client certificatekube-scheduler- scheduler client certificatekube-controller-manager- controller manager client certificaterke2-server/k3s-server- Server component certificatesrke2-controller/k3s-controller- Controller certificatesadmin- Admin client certificatecloud-controller- Cloud controller client certificateauth-proxy- Authentication proxy certificate
Services is empty, all certificates are rotated.
Performing Certificate Rotation
Via Rancher UI
Via Rancher API
Trigger rotation via API:Rotation Process
The rotation workflow is implemented in/home/daytona/workspace/source/pkg/capr/planner/certificaterotation.go:17.
ControlPlaneInitialized is trueSpec.RotateCertificates.Generation vs Status.CertificateRotationGenerationNodes are rotated in this order (defined in
/home/daytona/workspace/source/pkg/capr/planner/certificaterotation.go:63):{runtime} certificate rotate -s {services}Rotation Plans
The planner generates node-specific rotation plans (from/home/daytona/workspace/source/pkg/capr/planner/certificaterotation.go:90):
Control Plane Node Plan
Worker Node Plan
Downtime Considerations
High Availability Clusters
- Control plane: Rolling restart with no downtime if 3+ control plane nodes
- Workloads: Continue running on worker nodes during control plane rotation
- API availability: May experience brief interruptions during API server rotation
Single-Node Clusters
- API unavailable: API server is unavailable during rotation
- Workload impact: Workloads continue running but cannot be managed
- Duration: Typically 2-5 minutes per node
Service-Specific Impact
Rotating specific services reduces downtime:- kubelet only: Minimal impact, no control plane restart
- etcd only: Brief etcd cluster interruption
- kube-apiserver only: API unavailable during rotation
CA Certificate Rotation
CA rotation:- Generates new root CA certificates
- Re-issues all service certificates with the new CA
- Requires all components to restart and trust the new CA
- Takes longer than standard certificate rotation
- Should be performed during scheduled maintenance
Certificate Expiration
Rancher tracks certificate expiration in the cluster status:- 30 days before expiration: Schedule rotation
- 7 days before expiration: Perform rotation
- After expiration: Cluster components will fail to authenticate
Troubleshooting
Rotation Fails to Start
- Cluster not initialized: Verify
Status.ControlPlaneInitializedistrue - No init node: Cluster must have an identified init node
- Previous rotation in progress: Wait for current rotation to complete
Node Fails Health Check
- Service failed to start: Check systemd logs
- Certificate mismatch: Old and new certificates may conflict
- etcd cluster issues: Verify etcd cluster health
Cluster Stuck During Rotation
- CAPI cluster paused: Verify CAPI cluster is paused during rotation
- Plan not applied: Check node plan status in RKE2 control plane
- Network issues: Ensure nodes can communicate during rotation
Kubeconfig Stops Working
After rotation, kubeconfig files may need updating:- Generate new kubeconfig: See Kubeconfig Access
- Update local kubeconfig:
kubectl config use-context {CLUSTER_NAME} - Distribute new kubeconfig to users
Best Practices
- Regular rotation: Rotate certificates every 6-12 months
- Before expiration: Rotate at least 30 days before expiration
- Selective rotation: Rotate specific services to minimize impact
- Maintenance windows: Schedule CA rotation during planned downtime
- Testing: Test rotation in non-production clusters first
- Monitoring: Track certificate expiration dates
- Documentation: Keep runbooks for rotation procedures