How to rotate the RKE2 internal certificate?

Issue Description: How to rotate the RKE2 internal certificate?

Background: The RKE2 certificate will expire after one year. When this occurs, its important to rotate the certificate.

As this is a critical component, this is currently not automated as its important for administrators to know this event is occurring. Ideally some downtime is scheduled for this event in case there are any unexpected issues.

Its also important to make sure alerts are setup for the cluster as there will be an alert that is generated a few days before the certificate expires. Paying attention to this alert can prevent an outage. See more details on Kubernetes-system-kubelet .

Manually Checking The Expiry

1. On any of the nodes the following command can be run:
   • # Directory path to check
     if [[ -d "/var/lib/rancher/rke2/server/tls" ]]; then
     dir="/var/lib/rancher/rke2/server/tls"
     else
     dir="/var/lib/rancher/rke2/agent/tls"
     fi
     # Loop through each .crt file in the directory
     for file in "$dir"/*.crt; do
     # Extract the expiry date from the certificate
     expiry=$(openssl x509 -enddate -noout -in "$file" | cut -d= -f 2-)
     # Get the file name without the path
     filename=$(basename "$file")
     # Print the filename and expiry date in a pretty format
     printf "%-30s %s\n" "$filename:" "$expiry"
     done
2. This will display what the expiry dates of the certs

Rotating the certificate

1. Login to each server
2. For 21.10.X the version of RKE2 does not support the certificate rotate command. In that case, just skip the rotate command and restart the RKE2 service within 90 days of the expiration date.
3. For server nodes, run the following commands:
   • sudo systemctl restart rke2-server
     sudo rke2 certificate rotate
     sudo systemctl start rke2-server
4. For agent nodes, run the following commands:
   • sudo systemctl restart rke2-agent
     sudo rke2 certificate rotate
     sudo systemctl start rke2-agent