Hey everyone, I'm currently managing a K3s cluster on Hetzner Cloud and I've run into a little issue. I just downloaded a new `k3s.yaml` from the server, but I noticed that the `client-certificate-data` still shows an expiry date of **31 July 2025**, which is the same as my old certificate. This leads me to believe that K3s doesn't automatically renew the admin kubeconfig's client certificate, even though it does rotate other internal component certificates like the kubelet's. Can anyone confirm if K3s ever renews this certificate automatically? Or should I just plan to manually rotate it before it expires? Thanks!
1 Answer
Have you restarted the K3s instances at any point? I believe K3s only performs some certificate rotations after a full restart of the process. It might be worth checking that out!
Thanks for your response! Yes, the K3s server has been restarted since I set up the cluster, but even after downloading the fresh k3s.yaml, the client-certificate-data still had the same expiry date. From what I understand, it looks like a normal restart doesn't regenerate the admin kubeconfig client cert. Do you know if that certificate is only replaced when it's missing or is there a specific command in K3s for rotating it?