#Please describe the Improvement and/or Feature Request
As of today OSM's root certificate once created cannot be automatically rotated. This issue will track the root certificate rotation feature in OSM.

The tasks include:

• Proposal doc (a Google doc linked to this item)
• Design doc (a Google doc linked to this item)
• Phase 1 Implementation
  • Support Envoy xDS certificate rotation
    • ref(injector): load bootstrap SDS configuration from filesystem #4635
  • Implement MeshRootCertificate API
    • crds: add MeshRootCertificate CRD #4687
    • apis: add MeshRootCertificate API types #4677
    • ref(certs): use secretRef for Vault token in MRC #4736
  • MeshRootCertificate informer client
    • feat(api/MeshRootCertificate): add informer client #4721
  • Create or load MeshRootCertificate on install Create a MeshRootCertificate on osm install  #4712
  • Update validating and mutating webhook to support the MeshRootCertificate resource
    • Validating webhook Validate MeshRootCertificate #4723
    • Mutating webhook
  • Refactor Manager and Certificate to support Auto Root Certificate Rotation
    • Update Manager to support multiple clients
      • ref(cert): update Manager to support mult clients #4705
    • Issue certificates based on client and certificate settings
      • Certificate issuance state management #4743
    • Refactor IssueCertificate Preserve validity duration during cert rotation #4810
      • fix(certs): update checkAndRotate to use current durations #4800
  • Create Issuer from MeshRootCertificate Use MeshRootCertificate resource to configure OSM certificate manager on startup #4713
    • feat(certificate): create a compat layer for provider generation #4718
    • Reduce the methods on cert manager by unexporting methods only used in unit tests #4742
    • Refactor/mrc ca handling #4781
    • Implement MRC Watch and List
      • cert: use MeshRootCertificate on startup #4816
  • Update TLS configs for OSM webhooks and ADS server to dynmaically select certificate used for establishing mTLS Support updating the tls config for the ADS server without restarting the server #4819
  • Implement rotation stages
    • Update manager struct Configure certificate manager in response to MRC and MRC status changes #4815
    • Update webhooks configurations Update conversion, validating, and mutating webhook configurations based on certificate manager updates #4817
    • Update bootstrap secret Update OSM bootstrap secret on certificate manager updates #4818
  • CLI Tooling
    • osm cert CLI cmd
      • osm cert status
      • osm cert rotate
• Phase 2 Implementation
  • Implement detection strategy
  • Support automatic movement between rotation stages
  • Support automatic detection of expiring root certificate, creation of new root certificate, and rotation initiation
• Unit and e2e tests
  • Create e2e tests for root certificate rotation #4835
• Documentation: how-to guide
• Documentation: demo

Scope (please mark with X where applicable)

• New Functionality [X]