Allow Fleet Server to reload TLS certificates without restarting #6433
Description
Describe the enhancement:
Fleet Server requires TLS certificates to serve HTTPS requests from Elastic Agent. These certificates are placed in external files rather than embedded in the configuration, so if they change, Fleet Server doesn't reload the configuration. Rotating certificates requires an explicit restart, as per the documentation.
We should add an option allowing the certificate files to be reloaded without the need to restart Fleet Server. It should start as disabled by default to avoid user surprise, but we should work towards enabling it by default eventually.
Describe a specific use case for the enhancement or feature:
In many environments, synchronizing certificate renewal and Fleet Server restarts is quite onerous. In our own Serverless environments, certificates are managed through lightweight-cert-manager, and each project has its own certificates with their own expiration date. The operational toil of this problem would be completely removed by just letting the K8s Secret containing the certificate be remounted in the Pod and Fleet Server reloading it automatically.
In general, this feature would reduce operational burden in most environments, removing the need for external orchestration of certificate rotation.