In molecule upgrade scenario, client key for v3 services is difficult to locate

[eloquence]

Steps to reproduce

I did the following:

1. make build-debs
2. make staging
3. Delete the resulting VMs, in preparation for upgrade scenario
4. make upgrade-start
5. make upgrade-test-local

Expected result

I can log into the upgrade testing JI with the hidden service authentication token found in a predictable location.

Actual result

• The token found in install_files/ansible_base/app-journalist.auth_private is still the old one from the previous staging run;
• The token found in ~/.cache/molecule/securedrop/upgrade/sd-orig/install_files/ansible-base is correct and does work (but that path is not documented anywhere, AFAICT)
• The token found in /var/lib/tor/services/journalistv3/authorized_clients on the app-staging VM does not match the one above, and does not work (the onion address in the hostname file matches the local copy above, and does load)

[eloquence]

The token found in /var/lib/tor/services/journalistv3/authorized_clients on the app-staging VM does not match the one above,

That's expected because v3 services use a keypair while v2 services use a shared token. For v3 services, the server never holds the private key required to authenticate. More info here.

In discussion at standup today we agreed that it may make sense for the upgrade testing playbook to output the public key value required to visit the JI, given that it is otherwise stored in a location that's not easy to guess (not even within the code checkout tree).