In general, you almost never need to rotate the root CA certificate and key for the Talos API and Kubernetes API. Talos sets up root certificate authorities with the lifetime of 10 years, and all Talos and Kubernetes API certificates are issued by these root CAs. So the rotation of the root CA is only needed if: you suspect that the private key has been compromised; you want to revoke access to the cluster for a leaked talosconfig or kubeconfig; once in 10 years. Overview There are some detai...
