Start certificate watchers (#592)

We have to kick these off to pick up changes.

(cherry picked from commit 2b88802)

Author: jan-g

.changes/unreleased/operator-Fixed-20250328-112231.yaml

@@ -0,0 +1,4 @@
+project: operator
+kind: Fixed
+body: Certificate reloading for webhook and metrics endpoints should now behave correctly.
+time: 2025-03-28T11:22:31.608235Z

operator/CHANGELOG.md

@@ -45,6 +45,7 @@ For more details see: https://github.com/kubernetes-sigs/kubebuilder/discussions
 * Toggling `useFlux`, in either direction, no longer causes the bootstrap user's password to be regenerated.
 
   Manual mitigation steps are available [here](https://github.com/redpanda-data/helm-charts/issues/1596#issuecomment-2628356953).
+* Certificate reloading for webhook and metrics endpoints should now behave correctly.
 
 
 ## v2.3.6-24.3.3 - 2025-01-17

operator/cmd/run/run.go

@@ -350,6 +350,9 @@ func Run(
 				setupLog.Error(err, "Failed to initialize webhook certificate watcher")
 				os.Exit(1)
 			}
+			go func() {
+				setupLog.Error(webhookCertWatcher.Start(ctx), "webhook cert watcher exits")
+			}()
 
 			webhookTLSOpts = append(webhookTLSOpts, func(config *tls.Config) {
 				config.GetCertificate = webhookCertWatcher.GetCertificate
@@ -400,6 +403,9 @@ func Run(
 			setupLog.Error(err, "to initialize metrics certificate watcher", "error", err)
 			os.Exit(1)
 		}
+		go func() {
+			setupLog.Error(metricsCertWatcher.Start(ctx), "metrics cert watcher exits")
+		}()
 
 		metricsServerOptions.TLSOpts = append(metricsServerOptions.TLSOpts, func(config *tls.Config) {
 			config.GetCertificate = metricsCertWatcher.GetCertificate