How can i trigger a certificate rotation of kube-controller-manager and kube-scheduler certificates before they expire ? all the other rke2 certificates seem to have been rotated all nodes have been rebooted, but these 2 still have not rotated. rotate certificates in rancher gui, or rke2 command do not seem to do anything for these 2. this is a rke2 rancher installed kluster, running v1.22.7+rke2r2 kube-controller-manager/kube-controller-manager.crt: Not After : Apr 25 18:15:06 2023 GMT kube-scheduler/kube-scheduler.crt: Not After : Apr 25 18:15:06 2023 GMT

Did you try going through your masters one at a time and doing a

systemctl restart rke2-server

? Maybe a stop, wait a minute, then start if restart doesn't work? Those are both static pods that are controlled by the rke2-server service, and in theory those get cycled when the service restarts (which a reboot should do too, but can't hurt to try explicitly). I know a node reboot will stop it and restart it, but sometimes a reboot ends up getting treated differently than a service restart.

yes, i have tried that on all 3 controller nodes. since i did not know if it would happen when one restarted one, or when all was restarted. but when that did not work. I did a rolling reboot of all nodes. have also tried to restart rke2-server on one of the rebooted controller nodes. but still Not After : Apr 25 18:15:06 2023 GMT

@gray-lawyer-73831 Thanks, but unfortunately that was one of the first things i tried. The problem was that that method did not rotate those 2 certificates. kubernetes have to manage them, but it does not. i deleted the cert and key files and restarted the containers and they make new self signed certs. with this method : https://github.com/rancher/rancher/issues/41125#issuecomment-1506620040