fix: add kubelet certificate rotation support for Talos with metrics-server

[devantler]

Add support for kubelet certificate rotation in Talos to enhance security and ensure proper functioning with metrics-server.

Fixes #1612

Type of change

• 🧹 Refactor
• 🪲 Bug fix
• 🚀 New feature
• ⛓️‍💥 Breaking change
• 📚 Documentation update

[github-actions]

✅MegaLinter analysis: Success

✅ Linters with no issues

actionlint, bash-exec, checkov, git_diff, grype, hadolint, jscpd, jsonlint, lychee, markdown-table-formatter, markdownlint, prettier, prettier, shellcheck, shfmt, syft, trivy, trivy-sbom, trufflehog, v8r, v8r, yamllint

See detailed reports in MegaLinter artifacts

[codecov]

Codecov Report

❌ Patch coverage is 69.13580% with 25 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
cmd/cluster/create.go	30.76%	9 Missing ⚠️
pkg/io/generator/talos/generator.go	70.00%	3 Missing and 3 partials ⚠️
pkg/io/scaffolder/scaffolder.go	79.31%	5 Missing and 1 partial ⚠️
pkg/io/config-manager/talos/configs.go	78.94%	2 Missing and 2 partials ⚠️

📢 Thoughts on this report? Let us know!

[Copilot]

Pull request overview

This PR adds kubelet certificate rotation support for Talos clusters when metrics-server is enabled, fixing issue #1612. The change ensures that metrics-server can scrape kubelet metrics over HTTPS without TLS errors by automatically enabling the rotate-server-certificates flag.

Key changes:

• Introduces automatic kubelet certificate rotation configuration for Talos when metrics-server is enabled
• Refactors notification methods in the scaffolder for better code organization and maintainability
• Adds comprehensive test coverage for the Talos generator with new certificate rotation scenarios

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
pkg/io/scaffolder/scaffolder.go	Adds enableKubeletCertRotation logic and refactors notification methods into smaller, reusable functions
pkg/io/generator/talos/generator.go	Implements kubelet certificate rotation patch generation with new config field and patch file creation
pkg/io/generator/talos/generator_test.go	Adds comprehensive test coverage for kubelet cert rotation scenarios including standalone and combined configurations
pkg/io/config-manager/talos/configs.go	Implements ApplyKubeletCertRotation method and introduces helper function applyPatchToBothConfigs to reduce code duplication
pkg/io/config-manager/talos/configs_test.go	Adds tests for kubelet cert rotation application and idempotency
cmd/cluster/create.go	Adds setupTalosKubeletCertRotation function to apply cert rotation at cluster creation time
docs/configuration/index.md	Fixes markdown table alignment formatting
docs/configuration/declarative-configuration.md	Fixes markdown table alignment formatting across multiple tables

[Copilot]

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 3 comments.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 5 comments.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated no new comments.

[devantler]

We need to revisit this implementation as rotating server certificates is something we do to support metrics server WITH https. So we need to do something like the below when metrics server on Talos clusters:

1. Deploy metrics server as a helm chart where we do not use insecure http.
2. Deploy alex1989hu/kubelet-serving-cert-approver (preferably also as a helm chart) to ensure that new certificates for the kubelets are approved automatically.

Talos docs describe it here: https://docs.siderolabs.com/kubernetes-guides/monitoring-and-observability/deploy-metrics-server

If this works for Talos, it might also work for other distributions minus the Talos cluster-wide patch. We should consider migrating all installations of metrics-server to this approach, as it is superior because it does not rely on http as the current approach does.