Ability to rotate secret encryption keys used in apiserver

[ruifung]

Feature Request

Description

While trying to implement the procedure as described at https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/#rotating-a-decryption-key

(due to accidental publishing of a full machineconfig to a public github repository)

I was blocked by the inability to modify the encryptionconfig.yaml file to have the older keys in it to transition to a newly generated key.

This seems like something that would be nice to be supported in talosctl, or at least, the ability to add multiple encryption secrets to the machineconfig for the purposes of key rotation.

I've attempted the procedure manually by trying to specify a custom encryptionconfig file that has been inserted via files[], but apparently that argument is protected by talos and I am unable to override it.