Fix Host support choosing cleartext or TLS

[kflynn]

CHANGELOG: Properly support using a Host to specify cleartext or non-ACME TLS.
CHANGELOG: Be more forgiving about mismatched SNI connections.

This is probably best reviewable commit-by-commit. There are several small changes here that add up to substantial effects:

• (commit abf295f) Edge Stack was creating the fallback TLSContext whenever no termination contexts were present, irrespective of what any Hosts said. If you think this through you'll realize that it means that there would always be a termination context present, preventing running a cleartext-only Edge Stack.

  We now only create the fallback context if there are no termination contexts and no Hosts, which is to say, when Edge Stack is running basically unconfigured. If a Host is present that says to run cleartext, it will be honored.

• (commit 2182353) Don't look at the acmeProvider when deciding whether or not to enable TLS termination for a Host -- instead, only look at whether a tlsSecret is present. The effect here is that if you say acmeProvider.authority: none but manually provide a tlsSecret, you'll still get TLS termination.

  (When Edge Stack ACME is in use, the ACME client will fill in the tlsSecret for you if you don't set it, so there will always be a tlsSecret if termination should happen. If you do set a tlsSecret with Edge Stack ACME in use, the ACME client will happily use the secret name you provide.)

• (commits cd50960 and a63b529) Rationalize Envoy VHost entries such that we'll always have a VHost for *. If the configuration specifies a Host with hostname: "*", we'll use that -- otherwise, grab the first VHost entry and make it have hostname: "*".

  This seems odd, but is probably the least surprising thing to do: if you connect to a port and offer a strange SNI domain, it's probably less surprising to people to get back a certificate for something that should be listening there, rather than having Envoy simply drop the connection with a TLS error. If need be, we can create a setting that allows disabling this more forgiving behavior later.

Still to come: doc tweaks, and the port-override mechanism suggested by @nbkrause to fully support L4 split LBs. Those will be separate PRs.

Testing: KAT passes for both API Gateway and Edge Stack, including dropping the XFail for HostCleartext.

[LukeShu]

What was that ever for? Just as a hack for KAT?

[kflynn]

Many of the KAT tests did a poor job of handling the automagic redirect on 8080 that used to be there. This was a crutch that I expect to be deleting shortly (I have to do a full test run to make sure it's really no longer used).

[LukeShu]

I'm having a hard time understanding what's going on in a63b529. Perhaps it will make more sense after I put some food in me.

[kflynn]

An important note for a63b529 is that enable_sni used to keep track of whether we would use a VHost of "*" (if only one unique domain was present) or a VHost with an actual domain name in it (if more than one unique domain was present). So much of that commit is ripping out the now-dead enable_sni logic, and then there's the small chunk of "if we don't have a VHost "*", then overwrite the first VHost's hostname that takes its place.