Today the MCO lays down some certificates (e.g. kubelet cert) for the system to function. We manage them like we do any regular file, syncing all the way down from cluster objects -> MCO pod -> controllerconfig -> MCC -> rendered config -> MCD -> ondisk

The issue is that certs can rotate much more often (with the introduction of https://github.com/openshift/machine-config-operator/pull/3458, every month, or while in dev cycle, every day ish). Meaning that there is more churn with this method in rendered configs, plus users that pause pools will quickly have outdated certs (12 hours or so until some functionality stop working e.g. oc logs).

We should instead consider managing certs via a separate path, whether that be as configmap mounted into the system, or having another container inside the MCD directly managing certs, or following other operators in how they lay down certs.

Some more context in our recent discussion notes: https://docs.google.com/document/d/1_Jg6Kxz5pM00agx0o6AgATRBuRHN65e6bhLBcH-_A9k