We currently use X.509 for services to authenticate to Gate. The issue with this is that this requires SSL termination to happen at the Gate service itself. As far as I can tell, Gate cannot reload the SSL certificate dynamically during runtime, so a refreshed SSL cert needs to either be redeployed via halyard or the pods needs to be killed manually to load a new cert, which is unreliable and a hack