RGW SSL certificates are not reloaded after renewal/update

[briend]

Rook CephObjectStore CRD seems to have pretty good support for enabling SSL on the RGW pods by providing a sslCertificateRef to a tls Secret:

https://rook.io/docs/rook/v1.13/CRDs/Object-Storage/ceph-object-store-crd/#gateway-settings

We use Cert-Manager, which automatically renews these certs. In our testing it seems to work fine until the certs expire. Restarting an rgw pod fixes it (it begins using the updated cert). The newer Beast rgw does not appear to have any option to reload the certs without a restart (even though the cert is updated inside the pod via the Secret). Previously, civetweb rgw did have an option to handle short-lived ssl certs.

I've filed a ceph issue here: https://tracker.ceph.com/issues/65470

I'm wondering if Rook should be monitoring the certificate and automatically rolling the RGW deployment when changes occur on the Secret. Another idea might be a Liveness Probe that checks the cert validity and then restarts the rgw (with a long random delay?)

Perhaps I'm missing something else and there is another solution already?

[BlaineEXE]

Let's see what the Ceph project plans to do with the issue there. It seems to me that the RGW itself should reload when the file changes without need to do anything special in Rook.