on Sylva side, I've been working on a one-shot tool to allow changing how etcd certificates are managed for clusters created with CABPRKE2 0.2.7, to change them from rke2-managed certs to CABPRKE2-managed certs (the code is here, shell code running in a pod of the mgmt cluster: https://gitlab.com/sylva-projects/sylva-core/-/blob/rke2-migrate-etcd-certs/kustomize-units/rke2-etcd-secrets/read-rke2-certs.sh?ref_type=heads) I have the following question: do we need to run this script and prepare those secrets for all workload clusters before upgrading CABPRKE2 controllers ? or is it sufficient to ensure that the secrets of a given cluster are created before any CAPI rolling update of that cluster ? I have the impression that we need to convert all before upgrading, or else, it seems that CABPRKE2 may start to generate its own CA keypair Secrets... could you confirm that ?