Add dynamic certificate feature to controller

cmd/nginx/flags.go

@@ -147,6 +147,10 @@ Requires the update-status parameter.`)
 			`Dynamically refresh backends on topology changes instead of reloading NGINX.
 Feature backed by OpenResty Lua libraries.`)
 
+		dynamicCertificatesEnabled = flags.Bool("enable-dynamic-certificates", false,
+			`Dynamically update SSL certificates instead of reloading NGINX.
+Feature backed by OpenResty Lua libraries. Requires that OCSP stapling is not enabled`)
+
 		httpPort      = flags.Int("http-port", 80, `Port to use for servicing HTTP traffic.`)
 		httpsPort     = flags.Int("https-port", 443, `Port to use for servicing HTTPS traffic.`)
 		statusPort    = flags.Int("status-port", 18080, `Port to use for exposing NGINX status pages.`)
@@ -213,6 +217,11 @@ Feature backed by OpenResty Lua libraries.`)
 		glog.Warningf("SSL certificate chain completion is disabled (--enable-ssl-chain-completion=false)")
 	}
 
+	if (*enableSSLChainCompletion || !*dynamicConfigurationEnabled) && *dynamicCertificatesEnabled {
+		return false, nil, fmt.Errorf(`SSL certificate chain completion cannot be enabled and dynamic configration cannot be disabled when 
+dynamic certificates functionality is enabled. Please check the flags --enable-ssl-chain-completion and --enable-dynamic-configuration`)
+	}
+
 	// LuaJIT is not available on arch s390x and ppc64le
 	disableLua := false
 	if runtime.GOARCH == "s390x" || runtime.GOARCH == "ppc64le" {
@@ -248,6 +257,7 @@ Feature backed by OpenResty Lua libraries.`)
 		SyncRateLimit:               *syncRateLimit,
 		DynamicConfigurationEnabled: *dynamicConfigurationEnabled,
 		DisableLua:                  disableLua,
+		DynamicCertificatesEnabled:  *dynamicCertificatesEnabled,
 		ListenPorts: &ngx_config.ListenPorts{
 			Default:  *defServerPort,
 			Health:   *healthzPort,