John Gardiner Myers

Perhaps look at proofpoint/certificate-init-container?

/remove-lifecycle rotten

I would also prefer this be done in AWSSDK-GO, but aws-sdk has stated, without any explanation or discussion, that [they are not going to do that](https://github.com/aws/aws-sdk/issues/227). So this would need...

I presume there will be other restrictions due to the fact that this can't request certs through kops-controller. For example, running Kuberouter or Cilium in EtcdManaged mode.

`BootstrapScript`'s `GetDependencies()` has to return the "ca" `Keypair` task as a dependency when it is configured to use it. This is a highly divergent case, as the Bottlerocket instances don't...

The task is to implement `WarmPool.RenderTerraform`. I would suggest looking at other `RenderTerraform` receivers to see how they work. You'll need to create an annotated struct corresponding to the Terraform...

It looks like Terraform puts this inside the ASG definition, so you'll probably have to put this in `AutoscalingGroup.RenderTerraform` instead.

I believe for the Terraform target, the `WarmPool` task would do nothing. `AutoscalingGroupModelBuilder` would put the warmpool config into both the `WarmPool` and `AutoscalingGroup` tasks. The trick would then be...

To diagnose further, we would need the YAML for the kube-apiserver pods and the control plane nodes they run on.

If it's adding "random" pods' IPs, we would also want the YAML of the pods whose IPs were incorrectly added.