How to handle automatically renewing Let's Encrypt certificates for kube-apiserver?

[michaelbeaumont]

I'd like to use a public Let's Encrypt cert for access to the API server from outside the cluster.

This seems generally possible using --tls-sni-cert-keys but can I renew them automatically? I was thinking of leaning on cert-manager + a CronJob to update the certs on the host but then the question is how to bootstrap this. I'd prefer not to have to generate the initial certificate separately by some different mechanism. Of course the cert/key can be added after cluster creation but kube-apiserver won't start if the cert/key is missing/invalid so I'd have to leave the command line arg out and then manually add it back. I suppose a CronJob could do this too with the Talos API but I define machine config in terraform so this would entail config drift.

Otherwise there's the option of a Talos extension. I don't think there's any cron-like functionality within Talos, so would this mean a long-running service that executes cert-bot to update certs?

Anyone have any other ideas?