CloudSQL: there is currently no way to rotate SSL certificate

[muvaf]

What problem are you facing?

Currently, CloudSQL connection secret includes the SSL certificate information for clients that want to access it via SSL. However, when the certificate expires GCP requires you to take a manual action and rotate the keys. Details are here.

If the user takes rotation action on GCP Console, Crossplane does propagate it back to the connection secret. However, there is no mechanism to trigger that rotation through Crossplane.

How could Crossplane help solve your problem?

This is an imperative action, so, we'd probably need to come up with a generic way for handling imperative actions and apply it here. The first thing comes up to my mind is that we could have a field certExpired: true and in each reconcile, we'd update that. In case it's value is false and the certificate did expire, it means user changed it, so, we'd call the rotation action. But this'd require the certificate to be expired before rotation. So, not a really bright solution.