How to renew expired certificates after a year?

[zek]

I have been running my kubernetes cluster for a year.
Certificates are expired and I can't access cluster anymore.
Any guide how to renew certificates?

[jr-dimedis]

TL;DR: just execute terraform apply again.

According to the k3s documentation certificates are rotated automatically 90 days before expiration on server / node (re)start:

• https://docs.k3s.io/cli/certificate

The new certificates will be stored in this directory: /var/lib/rancher/k3s/server/tls

As well a new kubeconfig file is installed here: /etc/rancher/k3s/k3s.yaml

This file on the first control plane node is the source for kube-hetzner to create a local copy of the kubeconfig, which requires a few changes e.g. the actual ip address of your cluster, since the original file uses 127.0.0.1 at this point.

To recreate the kubeconfig file with kube-hetzner just run terraform apply:

# This will recognize the changed file on the first control plane node 
terraform apply

# A new ${cluster_name}_kubeconfig.yaml was created for you

If you don't get a new certificate with this procedure your nodes were not recently restarted, so you should do this manually now. I'd recommend to do this at first only for the first control plane node using SSH + systemctl restart k3s and then get a new kubeconfig using the procedure described above. Then you are able to use kubectl again and should use drain + restart + uncordon for all other nodes instead of hard restarting k3s.