Add section on k3s token rotate

docs/cli/token.md

@@ -92,6 +92,7 @@ COMMANDS:
    delete    Delete bootstrap tokens on the server
    generate  Generate and print a bootstrap token, but do not create it on the server
    list      List bootstrap tokens on the server
+   rotate    Rotate original server token with a new bootstrap token
 
 OPTIONS:
    --help, -h  show help
@@ -141,3 +142,22 @@ Flag | Description
 `--data-dir` value   | Folder to hold state (default: /var/lib/rancher/k3s or $\{HOME\}/.rancher/k3s if not root)
 `--kubeconfig` value | Server to connect to [$KUBECONFIG]
 `--output` value     | Output format. Valid options: text, json (default: "text")
+
+#### `k3s token rotate`
+
+:::info Version Gate
+Avaliable as of 2023-10 releases (v1.28.2+k3s1, v1.27.7+k3s1, v1.26.10+k3s1, v1.25.15+k3s1).
+:::
+
+Rotate original server token with a new bootstrap token. After running this command, all servers and any agents that originally joined with the old token must be restarted with the new token.
+
+If you do not specify a new token, one will be generated for you.
+
+ Flag | Description                                                                                
+ ---- | ----
+`--data-dir` value   | Folder to hold state (default: /var/lib/rancher/k3s or $\{HOME\}/.rancher/k3s if not root)
+`--kubeconfig` value | Server to connect to [$KUBECONFIG]     
+`--server` value     | Server to connect to (default: "https://127.0.0.1:6443") [$K3S_URL]                                                    
+`--token` value      | Existing token used to join a server or agent to a cluster [$K3S_TOKEN]                   
+`--new-token` value  | New token that replaces existing token   
+