Description
Currently, the addon-framework supports signing certificate requests on the spoke cluster. However, it appears to lack a renewal mechanism for signed certificates.
For example, when a certificate is signed using a CA via the registration process, it remains valid only as long as the CA is. If the CA expires or becomes invalid, and a new CA is issued, the signed certificate on the spoke cluster will no longer work.
The challenge is that there is no automated way to trigger the registration workflow to re-sign or update the certificate in the spoke cluster. Currently, the only available solution is to manually delete the certificate in the spoke cluster.
Open Question:
How can we automate the certificate renewal process in the spoke cluster when the CA changes?