config: Support loading of discovery bundle signature verification key from file

[charlieegan3]

Discovery bundle signing keys are currently embedded in the bootstrap configuration file. To rotate these keys (e.g., before expiration, for compliance, or after compromise), I must restart OPA with updated configuration. This creates operational challenges in environments with many OPA instances or where downtime is costly.

Describe the ideal solution

Add support for key_file option for verification keys (I guess for all bundles, but might be less useful for non-disco bundles since the disco bundle can just contain the key), similar to existing token_path for bearer tokens:

  keys:
    discovery_key:
      algorithm: RS256
      key_file: /etc/opa/keys/discovery_signing_key.pem

OPA would re-read the key file on each discovery bundle reload, enabling key rotation without restart.

Additional context

OPA already has multiple file-based credentials/files that reload:

1. Server TLS certs (--tls-cert-file, --tls-private-key-file) - fsnotify & polling
2. Bearer tokens (services[_].credentials.bearer.token_path) - re-read per request
3. AWS profile credentials (services[_].credentials.s3_signing.profile_credentials.path) - re-read per request
4. Client TLS certs (services[_].credentials.client_tls.cert, .private_key) - paths to files