Remove manual CertReloader wiring

[ycombinator]

What is the problem this PR solves?

PR #6838 added TLS certificate hot-reload support to fleet-server by manually wiring up a CertReloader in server.go. This manual wiring duplicates logic that now lives in elastic-agent-libs (via elastic/elastic-agent-libs#417), which wires CertReloader into both LoadTLSServerConfig (server-side) and LoadTLSConfig (client-side) automatically. Having the wiring in both places is redundant and means fleet-server carries passphrase resolution and reloader option-building code that the library already handles.

How does this PR solve the problem?

Removes the manual CertReloader setup block from server.Run() and the local resolvePassphrase helper function. LoadTLSServerConfig now returns a TLSConfig with certReloader already configured, and BuildServerConfig() automatically sets GetCertificate on the resulting tls.Config. No behavioral change — certificate hot-reload continues to work exactly as before.

Note that elastic/elastic-agent-libs#417 also wires up client-side certificate reloading via LoadTLSConfig → ToConfig(), which sets GetClientCertificate on the resulting tls.Config. This means fleet-server's client-side TLS connections to Elasticsearch (via httpcommon.HTTPTransportSettings.RoundTripper()) also get automatic certificate hot-reload without any code changes in fleet-server.

How to test this PR locally

The existing Test_server_TLSCertReload integration test validates that certificate reload works end-to-end. Run it with:

go test ./internal/pkg/api/ -run Test_server_TLSCertReload -v

Design Checklist

• I have ensured my design is stateless and will work when multiple fleet-server instances are behind a load balancer.
• I have or intend to scale test my changes, ensuring it will work reliably with 100K+ agents connected.
• I have included fail safe mechanisms to limit the load on fleet-server: rate limiting, circuit breakers, caching, load shedding, etc.

Checklist

• I have added tests that prove my fix is effective or that my feature works

Related issues

• Relates Allow Fleet Server to reload TLS certificates without restarting #6838
• Requires feat(tlscommon): wire CertReloader into LoadTLSConfig and LoadTLSServerConfig elastic-agent-libs#417

🤖 Generated with Claude Code

[mergify]

This pull request does not have a backport label. Could you fix it @ycombinator? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-./d./d is the label to automatically backport to the 8./d branch. /d is the digit
• backport-active-all is the label that automatically backports to all active branches.
• backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
• backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.