Machine ID should have a method for refreshing expired certificates without recreating a bot

[timothyb89]

What would you like Teleport to do?

tctl should have a new function to refresh expired bot credentials by generating a new token for an existing user, expiring any other credentials.

As an example:

$ tctl bots refresh <name>
The new token is: <token>
This token will expire in 59 minutes.

Optionally, if running the bot under an isolated user account, first initialize
the data directory by running the following command as root:

> tbot init \
   --destination-dir=./tbot-user \
   --bot-user=tbot \
   --reader-user=alice

[...]

What problem does this solve?

Currently when a bot's certificates expire, it must be fully deleted and recreated to generate a new token. This is required to reset the server-side generation counter, which is an additional level of certificate theft prevention used with token-based joining.

If a workaround exists, please include it.

$ tctl bots rm <name>
$ tctl bots add <name> --roles=a,b,c

Additionally, AWS IAM joining and GitHub Actions OIDC joining use reusable tokens and are not affected by this.

[thg-adamdean]

This is especially interesting to me because it removes a manual element to our automation.

[strideynet]

Potentially replaced by #26885 - need to think over this.

[strideynet]

Closing as covered by the larger issue described at #26885