[benlivengood]

I think we're almost at the point where public TLS endpoints never have to move their ephemeral private keys out of RAM. 6 days is pretty long in even modern cloud infrastructure lifecycles and it's unlikely that an endpoint will go long without TLS certificates on restart (2-3 minutes seems to be average for Let's Encrypt) which is fine for rolling restarts, and acceptable for a lot of DR scenarios.

This dramatically simplifies a lot of security assumptions because you can run stateless endpoints and not worry about encryption at rest or some of the bootstrapping issues. For example, only give an init container temporary credentials to modify DNS for ACME, or rely on HTTP01 or TLS-ALPN-01.