Backport of consul: add client configuration for grpc_ca_file into release/1.3.x

[hc-github-team-nomad-core]

Backport

This PR is auto-generated from #15701 to be assessed for backporting due to the inclusion of the label backport/1.3.x.

The below text is copied from the body of the original PR.

---

This combined with hashicorp/consul#15913 should be enough to get folks unblocked in upgrading to Consul 1.14 with TLS enabled and using Connect.

Unfortunately the breaking change on the Consul side combined with the new config required on the Nomad side implies the upgrade path for affected folks requires reconfiguration and restarting the Consul and Nomad agents together. Further, users who now specify a CA for grpc connections distinct from the Consul HTTP CA will need to drain each node of existing Connect services making use of the Envoy proxy - otherwise existing services will begin to fail to receive xDS config changes from Consul.

Note that Nomad users will also need to either configure consul.grpc_address to the 8503 default tls grpc port, or modify Consul config to listen to grpc tls on port 8502, e.g.

in nomad.hcl

consul {
  grpc_ca_file = "/etc/tls/consul-agent-ca.pem"
  ca_file = "/etc/tls/consul-agent-ca.pem"
  cert_file = "/etc/tls/dc1-client-consul-0.pem"
  key_file = "/etc/tls/dc1-client-consul-0-key.pem"
  ssl = true
  address = "127.0.0.1:8501"
  grpc_address = "127.0.0.1:8503"
}

Closes #15360

[github-actions]

I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.