This issue is a requirement to allow CA lifecycle management on Elemental machines, but it can also be generalized to simply reapply the MachineRegistration and all of its logic when running upgrades.
In this way not only a CA cert can be renewed, by updating all machines before updating your ingress for example, but it will also enable MachineRegistration's cloud-config update, if needed. We could also have toggles to allow or not updates of certain logic when it makes sense, for example the cloud-config since it could lead to undesirable outcomes.
Note that a requirement for doing this safely is to use OEM partition snapshots, so that any apply change can be rolled back on a failed boot assessment.
This issue is a requirement to allow CA lifecycle management on Elemental machines, but it can also be generalized to simply reapply the
MachineRegistrationand all of its logic when running upgrades.In this way not only a CA cert can be renewed, by updating all machines before updating your ingress for example, but it will also enable
MachineRegistration's cloud-config update, if needed. We could also have toggles to allow or not updates of certain logic when it makes sense, for example thecloud-configsince it could lead to undesirable outcomes.Note that a requirement for doing this safely is to use OEM partition snapshots, so that any apply change can be rolled back on a failed boot assessment.