Currently library-go checks whether a certificate needs to be re-created by the following logic:

https://github.com/openshift/library-go/blob/master/pkg/operator/certrotation/target.go#L145-L162

Either it's close enough to expire, there's no issuer annotation or the signer CN does not appear in the bundle.

With the changes in ETCD-512 we have to create the bundle with a new signer certificate up front to ensure etcd rolls out before we're signing with the new CA.

This obviously will never trigger a certificate update when the signer changes, simply because the CA is always known to the bundle. We thus need a slightly more involved check to test whether a CA has actually been used to sign this respective certificate or not.

AC:

• changing the signer should invalidate certificates, even if the bundle already creates them