add fsnotify-backed cache for reading TLS PKI material

[bobcallaway]

Summary

If the PKI material used to expose a TLS endpoint changes while an instance is running, the instance must be restarted to read the new material. This change adds an fsnotify-based watcher for the certificate, and caches the value of the cert in process memory to save file I/O during the establishment of each TLS connection.

This scenario is likely in Kubernetes where PKI material may be refreshed by a renewal process and exposed to Fulcio through a volume mount.

[codecov]

Codecov Report

Merging #1256 (4454722) into main (a5b774d) will decrease coverage by 0.03%.
The diff coverage is 59.01%.

@@            Coverage Diff             @@
##             main    #1256      +/-   ##
==========================================
- Coverage   56.07%   56.05%   -0.03%     
==========================================
  Files          50       50              
  Lines        2921     2972      +51     
==========================================
+ Hits         1638     1666      +28     
- Misses       1138     1157      +19     
- Partials      145      149       +4     

Impacted Files	Coverage Δ
cmd/app/grpc.go	48.76% <59.01%> (+2.81%)	⬆️