In Kubernetes, rotating CA certificates is a non-trivial operation. Adding cluster-api constraints (machine immutability & VM destroy & replacement strategy) makes this operation even harder beacause CAPI doesn't support CA automated rotation yet.
Cluster API expects certificates and keys used for bootstrapping to follow the below convention. CABPK generates new certificates using this convention if they do not already exist (at sens an initJob is started before applying a cluster to guarantee that a self-signed certificate will never be created for any cluster).
Each certificate must be stored in a single secret named one of: