I found this script certs.sh in the k3s github repo. It seems to create ssl certs in the tls folder. The script seems to indicate that its -days 7300 nr of days before expire. If i run this script then i would not need to bother with ssl cert rotation right? (its running within an isloated environment). . Given that i run this before k3s i started.

That is just for the CA certs. The client and server certs are still only valid for a year.

Thanks @creamy-pencil-82913 can i create those myself as well with similar expiration? If so do you know where to find examples of where its done in the installer script

Not easily. There are a lot of them and we don't have any instructions covering that as it's not something that we generally recommend hand-rolling. If you're not patching, just schedule the k3s service to restart once a month and you should be fine.

yes that was my concern. how does that work if i have incoming requests?

Requests to what

services runing within k3s

All the pods keep running. The iptables rules routing traffic remain in place. Your workload shouldn't be affected at all by restating it. I would do some testing to see what the impact of a restart actually is before you do a bunch of work to try to extend the cert validity by hand when the restarts are unlikely to cause even a blip in your apps.

Ah thanks that makes total sense. Thanks for all the help @creamy-pencil-82913 🤩