K3s Certificate Rotation

Overview

TOS is deployed on K3s, a lightweight Kubernetes environment for streamlined container orchestration.
As part of TOS installation, K3s automatically generates the required certificates.

K3s certificate validity

Installing the TOS platform, or upgrading it, regenerates K3s certificates with a default validity period of 825 days.

TOS will stop functioning if the certificate expires. To prevent this scenario, make sure to rotate the certificates before the expiration date.

K3s certificate alerts and notifications

K3s monitors certificate validity and sends two types of notifications:

  • Warning, when there are less than 90 days for expiration

  • Critical, when there are less than 30 days for expiration

The tos status command displays the current status of the K3s certificates.
The deployment status in TOS Monitoring reflects the same information. For more information, see TOS Monitoring.

Maintenance mode

If the certificate is due to expire within seven days, TOS enters maintenance mode. All operations are suspended. To resume operations, you must Manually rotate K3s certificates .

Manually rotate K3s certificates

When you receive a notification alert or the TOS deployment status indicates that the K3s certificates are nearing expiration, manually rotate the certificates on the cluster to renew them. Manual rotation resets the certificate validity period to the default 825 days.

Rotate the certificates on each data and worker node.

  1. Stop TOS

    [<ADMIN> ~]$sudo tos stop
    sudo tos stop
  2. Rotate the certificate. These commands should be repeated for each data and worker node.
    3. sudo systemctl stop k3s.service
    sudo systemctl stop k3s.service
    sudo k3s certificate rotate
    sudo k3s certificate rotate
    [<ADMIN> ~]$sudo systemctl start k3s.service
    sudo systemctl start k3s.service
  3. Restart TOS:
    4. [<ADMIN> ~]$ sudo tos start
    sudo tos start