Don't obtain cert if one already exists (persist LE User)

[InAnimaTe]

If I spawn a LE stack, it gets a certificate and stores it in the certificate store. If I then remove the stack and recreate it with the same settings, it will 'Found existing certificate 'cake' in Rancher' but still go out and grab a fresh one from LetsEncrypt.

For production usage, this isn't safe. I never want to pull a new certificate unnecessarily unless the previous one is about to expire (or maybe if I enable that functionality and in sandbox mode). If it's a worry about populating the local volume/directory with the certificate, we should pull the present one from the Certificate Store and save it.

[InAnimaTe]

Looking at this a bit more, I'm dumb ;)

What I'm effectively asking here is some persistence out-of-band for LE user credentials so they can be utilized in the future by this LE service. As it stands, the LE user created is lost when the data volume associated with this service goes away, which happens whenever the stack is torn down, the host dies, etc..

Once those LE user credentials are gone, we lose total control of the certificate which we've registered and stored in the Certificate Store. Therefore, the present actions by this service on fresh start are in-fact sane: We shouldn't deem an already existent certificate acceptable if we can't control it i.e. revoke it, renew it, etc..

I guess at the end of the day, I think one or more of the following solutions would help ease the pain here.

1. Integrations with external storage services like S3 for storing keys etc..
2. Additional private fields in Certificate Store entries for saving other private information i.e. the LE User Key
3. Utilizing other secure K/V backends like Vault etc.. I think there's some work in this realm possibly related to secrets-bridge

I'd love to hear others input on this and thoughts already had on handling these problems. At the moment, my organization is starting to look harder at Vault.