https://rancher.com/ logo
#k3s
Title
c

cold-rain-40382

02/21/2023, 9:27 AM
I found this script certs.sh in the k3s github repo. It seems to create ssl certs in the tls folder. The script seems to indicate that its -days 7300 nr of days before expire. If i run this script then i would not need to bother with ssl cert rotation right? (its running within an isloated environment). . Given that i run this before k3s i started.
c

creamy-pencil-82913

02/21/2023, 9:30 AM
That is just for the CA certs. The client and server certs are still only valid for a year.
c

cold-rain-40382

02/21/2023, 9:32 AM
Thanks @creamy-pencil-82913 can i create those myself as well with similar expiration? If so do you know where to find examples of where its done in the installer script
c

creamy-pencil-82913

02/21/2023, 9:34 AM
Not easily. There are a lot of them and we don't have any instructions covering that as it's not something that we generally recommend hand-rolling. If you're not patching, just schedule the k3s service to restart once a month and you should be fine.
Restarting k3s won't take your workload down, if that's what you're concerned about
c

cold-rain-40382

02/21/2023, 9:36 AM
yes that was my concern. how does that work if i have incoming requests?
c

creamy-pencil-82913

02/21/2023, 9:36 AM
Requests to what
c

cold-rain-40382

02/21/2023, 9:37 AM
services runing within k3s
c

creamy-pencil-82913

02/21/2023, 9:39 AM
All the pods keep running. The iptables rules routing traffic remain in place. Your workload shouldn't be affected at all by restating it. I would do some testing to see what the impact of a restart actually is before you do a bunch of work to try to extend the cert validity by hand when the restarts are unlikely to cause even a blip in your apps.
🙌 1
c

cold-rain-40382

02/21/2023, 9:43 AM
Ah thanks that makes total sense. Thanks for all the help @creamy-pencil-82913 🤩
2 Views