Skip to content

docs(operations): complete CA rotation documentation#406

Merged
kvaps merged 1 commit intomainfrom
ca-rotation-docs
Mar 11, 2026
Merged

docs(operations): complete CA rotation documentation#406
kvaps merged 1 commit intomainfrom
ca-rotation-docs

Conversation

@kvaps
Copy link
Member

@kvaps kvaps commented Jan 23, 2026
edited by coderabbitai bot
Loading

Summary

  • Add detailed instructions for Talos and Kubernetes CA rotation with dry-run preview steps
  • Include post-rotation notes about downloading new talosconfig/kubeconfig

Summary by CodeRabbit

  • Documentation
    • Reorganized certificate authority rotation guide with clearly separated, comprehensive procedures for independently rotating Talos API and Kubernetes API certificates using updated rotation methods.
    • Enhanced post-rotation credential retrieval with streamlined, clearer instructions for securely downloading and managing updated configuration files and authentication credentials.

@netlify
Copy link

netlify bot commented Jan 23, 2026
edited
Loading

Deploy Preview for cozystack ready!

Name Link
🔨 Latest commit e959773
🔍 Latest deploy log https://app.netlify.com/projects/cozystack/deploys/6973e3660732af000773d2e9
😎 Deploy Preview https://deploy-preview-406--cozystack.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Jan 23, 2026
edited
Loading

Warning

Rate limit exceeded

@kvaps has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 13 minutes and 9 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 83d81158-e55f-4b0d-a8c9-cb3fd9e32bae

📥 Commits

Reviewing files that changed from the base of the PR and between e959773 and 3cdce4b.

📒 Files selected for processing (1)
  • content/en/docs/v1/operations/cluster/rotate-ca.md
📝 Walkthrough

Walkthrough

Documentation for CA rotation procedures was reorganized and updated. Section headings were swapped to present Talos API rotation first, followed by Kubernetes cluster rotation. Command examples were changed from talosctl-based to talm-based workflows with explicit flag configurations, and post-rotation secret retrieval instructions were simplified.

Changes

Cohort / File(s) Summary
Documentation Updates
content/en/docs/operations/cluster/rotate-ca.md		 Reorganized CA rotation sections with swapped heading order. Replaced talosctl commands with talm-based workflows using --talos=true --kubernetes=false for Talos API rotation and --talos=false --kubernetes=true for Kubernetes cluster rotation. Updated post-rotation secret retrieval instructions.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 A twist in the tale of secrets that spin,
Where Talos and Kubernetes dance and begin,
Commands now refined with flags standing tall,
Rotation flows smoother—we've reorganized it all! ✨

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'docs(operations): complete CA rotation documentation' directly and clearly describes the main change—completing CA rotation documentation for operations, which aligns with the PR's objective to add detailed CA rotation instructions for both Talos and Kubernetes.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch ca-rotation-docs

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@gemini-code-assist
Copy link
Contributor

gemini-code-assist bot commented Jan 23, 2026

Summary of Changes

Hello @kvaps, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the operational documentation for cluster management by providing comprehensive and user-friendly instructions for Certificate Authority rotation. The updates aim to clarify the process for both Talos and Kubernetes CAs, incorporating best practices like dry-run previews and explicit steps for obtaining new configuration files, thereby improving the reliability and safety of CA rotation procedures.

Highlights

  • Updated CA Rotation Instructions: The documentation for Certificate Authority (CA) rotation has been significantly updated to provide detailed, step-by-step instructions for both Talos API and Kubernetes CA rotation within a management cluster.
  • Dry-Run Preview Steps: New instructions now include explicit dry-run commands for both Talos and Kubernetes CA rotations, allowing users to preview changes before applying them.
  • Post-Rotation Configuration Download: Guidance has been added for users to download new talosconfig and kubeconfig files from secrets after a successful CA rotation, ensuring they have the updated credentials.
  • Simplified Command Usage: Outdated git clone, make, and talosctl commands with hardcoded IPs have been replaced with streamlined talm commands, improving clarity and ease of use.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Jan 23, 2026
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request significantly improves the documentation for CA rotation by providing clearer, step-by-step instructions for both Talos and Kubernetes CAs. The new structure with distinct dry-run steps is much easier to follow and safer for operators. I've added a few suggestions to further enhance clarity and consistency by providing specific commands for downloading new configurations and using consistent file paths as shown in other parts of the documentation.

content/en/docs/v1/operations/cluster/rotate-ca.md
cd packages/core/testing
make apply
make exec
talm -f nodes/node.yaml rotate-ca --talos=true --kubernetes=false
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Jan 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The filename nodes/node.yaml seems inconsistent with the talm setup guide (talm.md), which uses node-specific files like nodes/node1.yaml. To improve clarity and consistency across the documentation, consider using a more specific placeholder like nodes/node1.yaml or nodes/<your-node-file>.yaml. This comment applies to all talm commands in this file.

Suggested change
talm -f nodes/node.yaml rotate-ca --talos=true --kubernetes=false
talm -f nodes/node1.yaml rotate-ca --talos=true --kubernetes=false

content/en/docs/v1/operations/cluster/rotate-ca.md
```bash
talm kubeconfig -f nodes/srv1.yaml
```
After the rotation is complete, download the new `talosconfig` from the secrets.
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Jan 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The instruction "download the new talosconfig from the secrets" is a bit vague. To make the documentation more actionable for users, it would be very helpful to provide the specific command to download the new talosconfig. This would make the guide much easier to follow.

content/en/docs/operations/cluster/rotate-ca.md Outdated
talm -f nodes/node.yaml rotate-ca --talos=false --kubernetes=true --dry-run=false
```

After the rotation is complete, download the new `kubeconfig` from the secrets.
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Jan 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The instruction "download the new kubeconfig from the secrets" could be more specific. The talm setup guide shows using talm kubeconfig to get the configuration. It would be very helpful to include the full command here to make the documentation self-contained and easier to follow. For example:

talm kubeconfig -f nodes/node1.yaml > kubeconfig

@kvaps kvaps marked this pull request as ready for review March 11, 2026 17:11
@kvaps kvaps requested a review from lllamnyp as a code owner March 11, 2026 17:11
@kvaps @claude
docs(operations): complete CA rotation documentation
3cdce4b 
Add detailed instructions for Talos and Kubernetes CA rotation,

Co-Authored-By: Claude <[email protected]>
Signed-off-by: Andrei Kvapil <[email protected]>
@kvaps kvaps force-pushed the ca-rotation-docs branch from e959773 to 3cdce4b Compare March 11, 2026 17:12
@netlify
Copy link

netlify bot commented Mar 11, 2026
edited
Loading

Deploy Preview for cozystack ready!

Name Link
🔨 Latest commit 3cdce4b
🔍 Latest deploy log https://app.netlify.com/projects/cozystack/deploys/69b1a296833a150008ce77d5
😎 Deploy Preview https://deploy-preview-406--cozystack.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@kvaps kvaps merged commit 70f55b3 into main Mar 11, 2026
4 of 5 checks passed
@kvaps kvaps deleted the ca-rotation-docs branch March 11, 2026 17:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lllamnyp lllamnyp Awaiting requested review from lllamnyp lllamnyp is a code owner

2 more reviewers

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

@nbykov0 nbykov0 nbykov0 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kvaps @nbykov0