[Story] Detect certificate renewal and redeploy

[ebaron]

When certificates are close to expiry, cert-manager will automatically renew them. We should detect this and redeploy Container JFR and update the routes that use TLS re-encryption.

[ebaron]

There's a couple of options I've found for this sort of thing.

1. Reloader operator (https://github.com/stakater/Reloader). Probably easiest to implement, but adds a dependency on an additional operator that watches all namespaces by default.
2. Store checksums of the secrets in the Container JFR deployment's pod template. When these checksums change, Kubernetes will redeploy automatically. We will need to add Secrets to our containerjfr controller's watches. This is lighter weight, and leverages our existing controller.

I think the second option is probably a better choice for us, as long as it turns out to be as easy as it sounds. Helm charts have similar functionality: https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments. Another article with this technique: https://blog.questionable.services/article/kubernetes-deployments-configmap-change/.

[ebaron]

This should work for both the certificates managed issued by cert-manager, and also any secrets provided by the user in ContainerJFR.Spec.TrustedCertSecrets.

[ebaron]

Some relevant Kubebuilder documentation: https://book.kubebuilder.io/reference/watching-resources/externally-managed.html