Kamaji allows the rotation of certificates via an opinionated approach, such as deleting the Secret objects containing such certificates.

This approach could lead to instability of the deployed Tenant Control Planes, especially in environments where reconciliation is lagging or constrained, such as those with forbidden deletion actions.

The proposal is pretty similar to FluxCD, where, by annotating the given Secret used by Kamaji, the certificate would be rotated upon the first reconciliation (e.g.: certs.kamaji.clastix.io/rotate).

To trigger rotation, the annotation value must be empty: once the rotation has occurred correctly, it will report the timestamp when the last rotation was performed.