Skip to content

docs(operations): complete CA rotation documentation #406

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
kvaps wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

docs(operations): complete CA rotation documentation #406

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
53 changes: 18 additions & 35 deletions content/en/docs/operations/cluster/rotate-ca.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,55 +16,38 @@ Rotation of the root CA is only needed:
- when you want to revoke access to the cluster for a leaked `talosconfig` or `kubeconfig`;
- once in 10 years.

### Rotate CA for the Management Kubernetes Cluster:
### Rotate CA for Talos API

To rotate the Talos CA for the management cluster, use the following command:

See: https://www.talos.dev/v1.9/advanced/ca-rotation/#kubernetes-api
First, run in dry-run mode to preview the changes:

```bash
git clone https://github.com/cozystack/cozystack.git
cd packages/core/testing
make apply
make exec
talm -f nodes/node.yaml rotate-ca --talos=true --kubernetes=false
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Jan 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The filename nodes/node.yaml seems inconsistent with the talm setup guide (talm.md), which uses node-specific files like nodes/node1.yaml. To improve clarity and consistency across the documentation, consider using a more specific placeholder like nodes/node1.yaml or nodes/<your-node-file>.yaml. This comment applies to all talm commands in this file.

Suggested change
talm -f nodes/node.yaml rotate-ca --talos=true --kubernetes=false
talm -f nodes/node1.yaml rotate-ca --talos=true --kubernetes=false

```

Add this to your talosconfig in a pod:

```yaml
client-aenix-new:
endpoints:
- 12.34.56.77
- 12.34.56.78
- 12.34.56.79
nodes:
- 12.34.56.77
- 12.34.56.78
- 12.34.56.79
```
Then, execute the actual rotation:

Execute in a pod:
```bash
talosctl rotate-ca -e 12.34.56.77,12.34.56.78,12.34.56.79 \
--control-plane-nodes 12.34.56.77,12.34.56.78,12.34.56.79 \
--talos=false \
--dry-run=false &
talm -f nodes/node.yaml rotate-ca --talos=true --kubernetes=false --dry-run=false
```

Get a new kubeconfig:
```bash
talm kubeconfig -f nodes/srv1.yaml
```
After the rotation is complete, download the new `talosconfig` from the secrets.
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Jan 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The instruction "download the new talosconfig from the secrets" is a bit vague. To make the documentation more actionable for users, it would be very helpful to provide the specific command to download the new talosconfig. This would make the guide much easier to follow.


### Rotate CA for Talos API
### Rotate CA for the Management Kubernetes Cluster

To rotate the Kubernetes CA for the management cluster, use the following command:

First, run in dry-run mode to preview the changes:

See: https://www.talos.dev/v1.9/advanced/ca-rotation/#talos-api
```bash
talm -f nodes/node.yaml rotate-ca --talos=false --kubernetes=true
```

All commands are like for the management k8s cluster, but with `talosctl` command:
Then, execute the actual rotation:

```bash
talosctl rotate-ca -e 12.34.56.77,12.34.56.78,12.34.56.79 \
--control-plane-nodes 12.34.56.77,12.34.56.78,12.34.56.79 \
--kubernetes=false \
--dry-run=false &
talm -f nodes/node.yaml rotate-ca --talos=false --kubernetes=true --dry-run=false
```

### Rotate CA for a Tenant Kubernetes Cluster
Expand Down