Why? Because the old default was unintuitive and insecure. For example, if a private key is exposed, users may (reasonably) assume that re-issuing a certificate (e.g. using cmctl renew) will generate a new private key, but it won't unless the user has explicitly set rotationPolicy: Always on the Certificate resource.
とのことなので、Certificate.Spec.PrivateKey.RotationPolicyはデフォルトAlwaysになる
