From e9597732acdd693a72ffa50b87c4368b9b03405d Mon Sep 17 00:00:00 2001
From: Andrei Kvapil <kvapss@gmail.com>
Date: Fri, 23 Jan 2026 22:03:06 +0100
Subject: [PATCH] docs(operations): complete CA rotation documentation

Add detailed instructions for Talos and Kubernetes CA rotation,

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
---
 .../en/docs/operations/cluster/rotate-ca.md   | 53 +++++++------------
 1 file changed, 18 insertions(+), 35 deletions(-)

diff --git a/content/en/docs/operations/cluster/rotate-ca.md b/content/en/docs/operations/cluster/rotate-ca.md
index e4c246c4..9ba728de 100644
--- a/content/en/docs/operations/cluster/rotate-ca.md
+++ b/content/en/docs/operations/cluster/rotate-ca.md
@@ -16,55 +16,38 @@ Rotation of the root CA is only needed:
 - when you want to revoke access to the cluster for a leaked `talosconfig` or `kubeconfig`;
 - once in 10 years.
 
-### Rotate CA for the Management Kubernetes Cluster:
+### Rotate CA for Talos API
+
+To rotate the Talos CA for the management cluster, use the following command:
 
-See: https://www.talos.dev/v1.9/advanced/ca-rotation/#kubernetes-api
+First, run in dry-run mode to preview the changes:
 
 ```bash
-git clone https://github.com/cozystack/cozystack.git
-cd packages/core/testing
-make apply
-make exec
+talm -f nodes/node.yaml rotate-ca --talos=true --kubernetes=false
 ```
 
-Add this to your talosconfig in a pod:
-
-```yaml
-client-aenix-new:
-    endpoints:
-    - 12.34.56.77
-    - 12.34.56.78
-    - 12.34.56.79
-    nodes:
-    - 12.34.56.77
-    - 12.34.56.78
-    - 12.34.56.79
-```
+Then, execute the actual rotation:
 
-Execute in a pod:
 ```bash
-talosctl rotate-ca -e 12.34.56.77,12.34.56.78,12.34.56.79 \
-    --control-plane-nodes 12.34.56.77,12.34.56.78,12.34.56.79 \
-    --talos=false \
-    --dry-run=false &
+talm -f nodes/node.yaml rotate-ca --talos=true --kubernetes=false --dry-run=false
 ```
 
-Get a new kubeconfig:
-```bash
-talm kubeconfig -f nodes/srv1.yaml
-```
+After the rotation is complete, download the new `talosconfig` from the secrets.
 
-### Rotate CA for Talos API
+### Rotate CA for the Management Kubernetes Cluster
+
+To rotate the Kubernetes CA for the management cluster, use the following command:
+
+First, run in dry-run mode to preview the changes:
 
-See: https://www.talos.dev/v1.9/advanced/ca-rotation/#talos-api
+```bash
+talm -f nodes/node.yaml rotate-ca --talos=false --kubernetes=true
+```
 
-All commands are like for the management k8s cluster, but with `talosctl` command:
+Then, execute the actual rotation:
 
 ```bash
-talosctl rotate-ca -e 12.34.56.77,12.34.56.78,12.34.56.79 \
-    --control-plane-nodes 12.34.56.77,12.34.56.78,12.34.56.79 \
-    --kubernetes=false \
-    --dry-run=false &
+talm -f nodes/node.yaml rotate-ca --talos=false --kubernetes=true --dry-run=false
 ```
 
 ### Rotate CA for a Tenant Kubernetes Cluster