Hi there @janst! You and I are thinking about the same stuff regarding running Ziti in prod with K8s. The encompassing question is "How do I run Ziti in production?" and that's going to be a collaboration over time that hopefully produces some helpful hints in the "deployment" area of the docs and the controller chart's README.
I'll answer the easy one first and focus on your use case for running Ziti in prod on K8s.
Short answer: make sure the controller pod is deployed more often than the configured server certificate life span expires
Explanation: The configmap is immediately updated when cert manager auto-renews the controller's server certificate. With the current controller chart v0.4.1, each server identity is mounted inside the running container as a separate directory. Each identity directory has files representing the configmap's data, e.g., tls.crt, tls.key.
The configmap update with the renewed certificate is propagated to the controller container filesystem immediately, so it will be read the next time the process is started.