Support CA rotation in front-proxy

[s-urbaniak]

Currently, we load client cert/key, and root CAs at startup time but don't rotate them:

kcp/pkg/proxy/proxy.go

Lines 56 to 69 in 15cbe0f

	cert, err := tls.LoadX509KeyPair(clientCert, clientKeyFile)
	if err != nil {
	return nil, err
	}
	transport := http.DefaultTransport.(*http.Transport).Clone()
	transport.TLSClientConfig = &tls.Config{
	Certificates: []tls.Certificate{cert},
	RootCAs: caCertPool,
	}
	proxy := httputil.NewSingleHostReverseProxy(target)
	proxy.Transport = transport
	return &KCPProxy{proxy: proxy, backend: backend}, nil

I suppose rotation is done by re-deployment currently? We should rather support in-process rotation.

cc @kylape @csams