Add get-consul-client-ca command

[ishustava]

When auto-encrypt is enabled, we need to retrieve Consul client CA from the Consul servers.

This command calls the /agent/connect/ca/roots endpoint, finds the currently active root CA, and writes it to the provided output file location.

This command allows you to provide a cloud-join string instead of the server address and this command will discover the servers. This allows us to re-use the client.join value in the Helm chart without requiring operators to provide the address of the server in addition to the join value.

[adilyse]

This looks good!

A couple of themes to my comments:

• Not importing anything from Consul besides the api or sdk. I understand that not all of these might be possible right now, but it might be good to figure out a plan for how to remove them in the future.

• Adding additional comments for extra context so that the subtleties are clearer.

• Removing temp files in the tests. I only commented on one specific one, but there seem to be a bunch.

Also, it would be great to have some unit tests for theconsulClient function that addresses all of the different scenarios and checks that the config that is generated matches expectations.

[lkysow]

I was mostly through my review so going to leave it anyway in case it's helpful.

[ishustava]

@adilyse @lkysow thanks so much for your reviews, they were super helpful 😄

I've made some changes and refactors that came out of your suggestions that are ready for re-review. Summary here:

• To remove the dependency on the tlsutil package from Consul, I've refactored the cert package. I've pulled some generic cert generation functions out into its own file called tls-util.go and made functions in source_gen.go call them. This allowed us to re-use them for tests in this command and the server-acl-init command. I've made the changes to the server-acl-init tests in this PR, but happy to pull it out if you think it's better.
• After adding some tests for what was previously consulClient function's logic, I've found some mistakes in my implementation (thanks Rebecca for the suggestion!). I've changed the server address parsing to essentially better handle different possibilities for the flag value (different combinations of scheme and host or host and port). Generally, these are the cases:
  • If the scheme and port are provided, we don't do anything
  • If scheme without a port is provided, we look at the scheme and use the default port for that scheme
  • If the scheme is not provided, but only the host and port are provided, we use Consul's default scheme (HTTP).
  • If neither scheme or port are provided, we assume HTTPS port and scheme

[lkysow]

Moving on to actually testing now.

[lkysow]

🎉