Reload leaf certificates without business interruption

[manuelbuil]

Is your feature request related to a problem? Please describe.

As of today, we need to reboot the node to rotate the certificates. That means a small interruption and a potential risk.

Describe the solution you'd like

If possible, it would be nice to be able to reload the certificates without having to reboot the node (e.g. after rotating them)

Describe alternatives you've considered

Additional context

[brandond]

Related:

• kubelet/client: collapse transport wiring onto standard approach kubernetes/kubernetes#115315
• enable kubelet server to dynamically load tls certificate files kubernetes/kubernetes#124574

1. Kubernetes client-go should automatically reload certs if the kubeconfig point at file paths for cert/key instead of specifying them inline.
2. We need to validate that components other than the kubelet (apiserver, scheduler, controller-manager) also support dynamically reloading their serving certs when a path is specified.
3. We need to add a subcommand to k3s certificate rotate to do in-place updates. Right now rotate just removes the files, and updated files are pulled from the server during startup. It should be pretty easy to download the new files from the server and move them into place while k3s is running.