Automatic re-read tls certs for storage backends

[dmitrytretyakov]

Is your feature request related to a problem? Please describe.

HI, looks like Vault must be restarted to use new certs for etcd storage.
We use Vault in k8s with etcd as a storage with tls and cert-manager as a cert provider.
After rotating, certs are updated inside pod but Vault uses a previous one:

{"level":"warn","ts":"2022-11-14T10:54:51.021Z","logger":"etcd-client","caller":"v3@v3.5.0/retry_interceptor.go:62","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0xc000857a40/#initially=[https://vault-etcd:2379]","attempt":0,"error":"rpc error: code = DeadlineExceeded desc = latest balancer error: last connection error: connection error: desc = \"transport: authentication handshake failed: x509: certificate has expired or is not yet valid: current time 2022-11-14T10:54:36Z is after 2022-11-14T10:00:21Z\""}

All environment is unavailable until Vault pods are restarted.

Describe the solution you'd like
It would be great to have an option to allow Vault re-read certs from disk to make new connections or in case of connection errors.

Describe alternatives you've considered
Sending SIGHUP as it works for tls settings of Vault.
But it's not convenient in many k8s environments as you want to have automated procedures as much as possible. You need an additional controller that will watch changing of secrets and do a graceful restart (sending signals) of all Vault pods in a specific order.
It doesn't sound good.

Additional context
Part of config:

storage "etcd" {
  address = "https://vault-etcd:2379"
  etcd_api = "v3"
  ha_enabled = "true"
  tls_ca_file = "/vault/etcd-client/ca.crt"
  tls_cert_file = "/vault/etcd-client/tls.crt"
  tls_key_file = "/vault/etcd-client/tls.key"
  path = "/vault/"
}

Thanks in advance for any feedback or comments!