Add validation that externalServers.hosts is not set to HCP-managed cluster's addresses when global.cloud.enabled

[zalimeni]

This reintroduces #3218 with an additional small change to ensure Helm template validation is applied with necessary short-circuits. I've added the fix as a separate commit to simplify review based on the original.

Original PR description below:

---

Overview

If we set externalServers.hosts to the public or private address of an HCP-manged cluster, we run into the following because we're hardcoding -tls-server-name to server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}}:

2023-11-10T01:32:31.386Z [ERROR] consul-server-connection-manager: connection error: error="rpc error: code = Unavailable desc = connection error: desc = "transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate is valid for 517429dd-fcab-4fe6-bc4a-57750f69df7e.aws.hashicorp.cloud, consul-cluster.consul.e4065767-bd61-4f00-8b2b-81f631f7d4d1.aws.hashicorp.cloud, consul-cluster.private.consul.e4065767-bd61-4f00-8b2b-81f631f7d4d1.aws.hashicorp.cloud, not server.consul-cluster.consul\”"

We hard-code -tls-server-name in many places like:

consul-k8s/charts/consul/templates/_helpers.tpl

Lines 229 to 231 in 4d7a187

	{{- if .Values.global.cloud.enabled }}
	-tls-server-name=server.{{.Values.global.datacenter}}.{{.Values.global.domain}} \
	{{- end}}

Changes proposed in this PR:

• Add validation that users don't set global.cloud.enabled while also using externalServers.hosts that point at an HCP-managed cluster (any address that has the suffix ".hashicorp.cloud")
• Add note to values.yaml describing how global.cloud is really for linking clusters, not for HCP-managed cloud clusters.

How I've tested this PR:

• bats, new bats test, ran it locally

How I expect reviewers to test this PR:

Checklist:

• Tests added
• CHANGELOG entry added

[zalimeni]

Because of the check directly above this one, we should never attempt to evaluate the inner if unless .Values.externalServers.hosts has been set.

[zalimeni]

Updated changelog filename to match this PR

[jjti]

Thank you @zalimeni for this fix! I'm checking since I didn't last time: are these acceptance test failures an issue or possibly broken because of this change? https://github.com/hashicorp/consul-k8s-workflows/actions/runs/7119514288

[zalimeni]

@jjti sure thing! Re: the acceptance test failure, I think you are ok. Given the vanilla acceptance suite passed and this change isn't specific to CNI, I expect you just hit a flake, which unfortunately isn't uncommon r/n w/ the acceptance tests (particularly CNI).

Consider me "approved" even though I opened the PR, and feel free to merge + backport when it makes sense.