Load certificate when they are updated when internal-encryption is enabled

[nak3]

Currently we need to restart activator when certificates are updated. This patch fixes it by:

• Using GetCertificate for server certs.
• Using TLSConf as a pointer for updating custom CA.
• Caching the cert for peformance.

Fix #13694

Release Note

With enabling internal-encryption, activator pods needed to be restarted when certificates are updated. The restart is not necessary anymore.

[codecov]

Codecov Report

Patch coverage: 36.50% and project coverage change: -0.05 ⚠️

Comparison is base (8f273e4) 86.27% compared to head (a5795f7) 86.23%.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #13854      +/-   ##
==========================================
- Coverage   86.27%   86.23%   -0.05%     
==========================================
  Files         198      199       +1     
  Lines       14669    14706      +37     
==========================================
+ Hits        12656    12682      +26     
- Misses       1715     1725      +10     
- Partials      298      299       +1     

Impacted Files	Coverage Δ
cmd/activator/main.go	0.00% <0.00%> (ø)
pkg/activator/certificate/cache.go	41.81% <41.81%> (ø)

... and 1 file with indirect coverage changes

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

[nak3]

/cc @evankanderson @davidhadas @ReToCode @KauzClay @dprotaso

Could you please take a look?

[davidhadas]

On the client side,
We should find a way to avoid using InsecureSkipVerify: false and replace the standard lib verification.

[davidhadas]

/retest

[ReToCode]

/lgtm

/hold for other reviewers to chime in. Feel free to unhold if you have all the reviews you'd like.

[knative-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: nak3, ReToCode

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [nak3]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[nak3]

Thank you for the reviews! I will unhold if there is no additional reviews in a few days.

[davidhadas]

@nak3
Looks very good, thank you.
/lgtm

[nak3]

/hold cancel

[evankanderson]

/approve

[evankanderson]

Should we decode all the CA certificates at this key, or only the first one?

[nak3]

I think it is okay to assume for now but we should decode all the CA if we will support the BYO CA certificate in the future. I will create the tracker issue.