From 3d4c2cf2cfd93b4bb4c918d3885272089341d798 Mon Sep 17 00:00:00 2001
From: Brad Davidson <brad.davidson@rancher.com>
Date: Tue, 12 Aug 2025 00:18:57 +0000
Subject: [PATCH] Fix cert startup check events

Ensure that cert checks don't run until after the apiserver is ready to receive events

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
---
 pkg/certmonitor/certmonitor.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pkg/certmonitor/certmonitor.go b/pkg/certmonitor/certmonitor.go
index 53e6ad6348b..38b97edbf22 100644
--- a/pkg/certmonitor/certmonitor.go
+++ b/pkg/certmonitor/certmonitor.go
@@ -11,6 +11,7 @@ import (
 
 	daemonconfig "github.com/k3s-io/k3s/pkg/daemons/config"
 	"github.com/k3s-io/k3s/pkg/daemons/control/deps"
+	"github.com/k3s-io/k3s/pkg/daemons/executor"
 	"github.com/k3s-io/k3s/pkg/metrics"
 	"github.com/k3s-io/k3s/pkg/util"
 	"github.com/k3s-io/k3s/pkg/util/services"
@@ -84,6 +85,9 @@ func Setup(ctx context.Context, nodeConfig *daemonconfig.Node, dataDir string) e
 	}
 
 	go wait.Until(func() {
+		// don't check and create events until after the apiserver is up, otherwise the events may be lost.
+		<-executor.APIServerReadyChan()
+
 		logrus.Debugf("Running %s certificate expiration check", controllerName)
 		var hasErr bool
 		if err := checkCerts(nodeMap, time.Hour*24*daemonconfig.CertificateRenewDays); err != nil {