Problem statement: Contour does not provide support for certificate rotation for the control plane (xDS/gRPC) connection between Contour and Envoy.

It shall be possible to replace the certificates and keys and have them taken into use automatically. Rotation shall not cause interruptions for data plane traffic.

Tasks:

• cmd/contour: hot-reload certificates and key #2198 Add support for Contour to hot-reload certificates and key
• bootstrap: support for Envoy xDS certificate rotation #2333 Generate reloadable bootstrap configuration for Envoy
• Update deployment to use rotatable bootstrap config #2524 Flip default deployment over to use reloadable bootstrapping
• Document Contour certificate reloading behavior #2229 Update deployment documentation for certificate rotation
• certgen doesn't have enough RBAC permissions to update secrets #2538 certgen doesn’t have enough RBAC permissions to update secrets
• Stop using ImagePullPolicy of Always #2537 Stop using ImagePullPolicy of Always
• Certgen should generate secrets that are compatible with cert-manager #2494 Certgen should generate secrets that are compatible with cert-manager