What is the bug?

The hot reloading TLS certificates feature (https://docs.opensearch.org/docs/latest/security/configuration/tls/#hot-reloading-tls-certificates) doesn't work due to certificates being mounted to a POD using the subPath function.

How can one reproduce the bug?

create a cluster with externally managed certificates (cert-manager). wait for cert-manager to issue a new version of the certificate. check the certificate files inside the POD - they will not change and contain old certificates

What is the expected behavior?

The certificate files inside the POD should be updated once cert-manager issues a new version of the certificate

What is your host/environment?

Opensearch 2.19.2/3.0

Do you have any additional context?

The problem is caused by the way how certificates are mounted to POD. Kubernetes doesn't update files inside the POD once subPath is used: kubernetes/kubernetes#50345
Probably it makes sense to provide an ability to mount secrets with certificates as is.
For example, cert-manager puts ca.crt in the same secret, so there is no need to mount CA certificate from a different secret: