As a user of hosted control planes, I want MCS TLS certificates to be generated once and cached, so that ignition payload generation is faster and avoids redundant certificate operations.

Background

In ignition-server/controllers/local_ignitionprovider.go (line 605), MCS TLS certificates are generated for every ignition payload request. The MCS is hard-coded to expose a TLS listener and requires both a certificate and a key. Currently a new self-signed certificate is generated each time, but this could be generated once up-front and cached for all processes.

Acceptance Criteria

• Test that MCS TLS certificates are generated once and reused across subsequent ignition payload requests
• Verify that cached certificates are still valid (not expired) before reuse
• Test that a new certificate is generated if the cached one has expired or is missing
• Verify that ignition payload generation performance improves with cached certificates