Automated reloading of certificate/private key #6
Description
To reload the X.509 certificate/private key used by the HTTPS server, a restart of the authorizer is required. This could lead to expired certificates being used, leading to service disruptions.
Furthermore, recreation of pods doesn't automatically happen when a mutable secret is updated in Kubernetes.
Adding support for "hot reloading" of server certificates ain't that hard in Go, as demonstrated by https://opensource.com/article/22/9/dynamically-update-tls-certificates-golang-server-no-downtime . Some Kubernetes components already implement this in a clever way by relying on file watches (https://github.com/kubernetes-sigs/controller-runtime/blob/main/pkg/certwatcher/certwatcher.go).
Before adding this type of feature, consider how it will affect service reliability, request latency (don't try to reload the certificates on each request, as demonstrated in the link below) and avoid including new third-party dependencies (increased supply chain risks). A simple timer that checks modification date of the certificate/private key may be enough.