Reload TLS certificates

[sagikazarmark]

Preflight Checklist

• I agree to follow the Code of Conduct that this project adheres to.
• I have searched the issue tracker for an issue that matches the one I want to file, without success.

Problem Description

When Dex is deployed in an environment where certificates frequently change (eg. using Let's Encrypt) AND it is configured to terminate TLS, it continues serving with the old certs indefinitely without reloading them from the filesystem.

Proposed Solution

Support (optionally) reloading TLS certificates. Two common solutions I can see:

• reload certs upon receiving SIGHUP (doesn't work on Kubernetes)
• watching files for changes and reloading certs upon an event

We probably need to support both and let users decide which mechanism to use.

There is a library called tlsreconciler: https://github.com/shaj13/tlsreconciler

It looks pretty good except it may not be obvious how to implement file watching.

For file watching, fsnotify is the standard library: https://github.com/fsnotify/fsnotify

Alternatives Considered

First, on Kubernetes is probably better to terminate TLS at the ingress layer.

If that's not possible reloader can provide an automated solution to trigger rollouts on secret changes.

Additional Information

This is a duplicate of #2274, but since that mentions both configuration AND certs, I decided to open a separate one for certs as that might be easier to resolve.

Some information about reloading TLS certs: https://stackoverflow.com/questions/37473201/is-there-a-way-to-update-the-tls-certificates-in-a-net-http-server-without-any-d

[tgruenert]

running dex on a docker.compose does always require some kind of reloading certs. i would prefer reload on watching files. it should work on docker and kubernetes.

[nabokihms]

Closed by #2964