This guide covers routine maintenance procedures, certificate management, and advanced operational tasks for Akash providers.
Stop Provider Services for Maintenance
Critical: Always stop the akash-provider service before performing maintenance on your Kubernetes cluster. Failure to do so may result in lost leases.
See GitHub Issue #64 for details.
Stop the Provider
kubectl -n akash-services get statefulsetskubectl -n akash-services scale statefulsets akash-provider --replicas=0Verify Provider Stopped
kubectl -n akash-services get statefulsetskubectl -n akash-services get pods -l app=akash-providerExpected: No akash-provider pods running.
Restart Provider After Maintenance
kubectl -n akash-services scale statefulsets akash-provider --replicas=1Kubernetes Certificate Rotation
References:
When Kubernetes certificates expire, cluster access will fail with Unauthorized errors. Rotate certificates proactively to avoid downtime.
Check Certificate Expiration
kubeadm certs check-expirationExample Output
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGEDadmin.conf Feb 20, 2026 17:12 UTC 364d ca noapiserver Feb 20, 2026 17:12 UTC 364d ca noapiserver-etcd-client Feb 20, 2026 17:12 UTC 364d etcd-ca noapiserver-kubelet-client Feb 20, 2026 17:12 UTC 364d ca nocontroller-manager.conf Feb 20, 2026 17:12 UTC 364d ca noetcd-healthcheck-client Feb 20, 2026 17:12 UTC 364d etcd-ca noetcd-peer Feb 20, 2026 17:12 UTC 364d etcd-ca noetcd-server Feb 20, 2026 17:12 UTC 364d etcd-ca nofront-proxy-client Feb 20, 2026 17:12 UTC 364d front-proxy-ca noscheduler.conf Feb 20, 2026 17:12 UTC 364d ca noBackup etcd Database
Critical: Always backup etcd before rotating certificates. The etcd database contains your entire cluster state.
export $(grep -v '^#' /etc/etcd.env | xargs -d '\n')etcdctl -w table member listetcdctl endpoint health --cluster -w tableetcdctl endpoint status --cluster -w tableetcdctl snapshot save node1.etcd.backupBackup Current Certificates (Optional)
tar czf etc_kubernetes_ssl_etcd_bkp.tar.gz /etc/kubernetes /etc/ssl/etcdRenew Certificates
HA Clusters: For HA Kubernetes clusters with multiple control plane nodes:
- Perform these steps on one control plane node at a time
- Start with the primary control plane node
- Verify cluster health before proceeding to the next node
- This ensures the cluster remains operational during renewal
To check if you have HA:
kubectl get nodes -l node-role.kubernetes.io/control-planeStep 1: Renew All Certificates
kubeadm certs renew allStep 2: Update kubeconfig
mv -vi /root/.kube/config /root/.kube/config.oldcp -pi /etc/kubernetes/admin.conf /root/.kube/configStep 3: Restart Control Plane Components
Restart in this specific order:
kubectl -n kube-system delete pods -l component=kube-apiserverkubectl -n kube-system delete pods -l component=kube-schedulerkubectl -n kube-system delete pods -l component=kube-controller-managersystemctl restart etcd.serviceStep 4: Verify Renewal
kubeadm certs check-expirationAll certificates should show ~365 days remaining.
Step 5: Repeat for Other Control Plane Nodes
If you have a HA cluster, repeat Steps 1-4 on each additional control plane node, one at a time.
