Feature Request: Renewing TLS certs for zarf agent hook

[daniel-palmer-gu]

Is your feature request related to a problem? Please describe.

The TLS certs for the agent hook last a year from what I can tell. Kudos to the Zarf devs as I have a cluster that has expired certs!

The issue I have was when I needed to update the TLS certs as the cluster breaks when the certs are invalid. Updating the certs is a bit tedious and manual. I'm hoping we can get a way for Zarf to automate the process, and, if possible detect and handle it automatically.

Describe the behavior you'd like

• Given TLS certs have expired for the zarf agent hook
• When the user zarf inits their cluster again
• Then zarf detects the TLS certs have expired and renews them

Describe alternatives you've considered

The current solution I have is to manually update the zarf-state secret with new certs and zarf init the cluster again.

The steps I have:

1. run zarf tools gen-pki agent-hook.zarf.svc to generate a new crt, key, and ca file.
2. Update the zarf-state's agentTLS with the new ca, crt, and key.
3. run zarf init
4. restart agent-hook-xxxx pods

[AustinAbro321]

On option is to use zarf tools update-creds agent https://docs.zarf.dev/commands/zarf_tools_update-creds/#zarf-tools-update-creds.

Not sure if we would change the behavior to update certs on zarf init, will leave this open until a decision is made there. For now wanted to provide the command.