Starting with MongoDB 4.2 we are able to rotate the internal authentication keyfiles in a rolling fashion with the procedure described here:
https://docs.mongodb.com/manual/tutorial/rotate-key-sharded-cluster/

Currently when you import for automation a cluster that is using a different keyfile than the one in the automation config a bouncerestart is triggered. We can avoid it by doing a rolling rotation of the keyfile.

The old keyfile should be kept and the new one appended to it in a rolling fashion. We may have already this implemented for the "Rotate keyfile" feature present in the Security tab page.