Make node TLS certificates totally ephemeral

[abukosek]

Closes #2098.

TODO:

• Add a flag to set node TLS certificate rotation interval.
• Figure out why the storage client unit tests fail with storage client: failed to write to any storage node (I used GetCertificate where I should have used GetClientCertificate 🤦‍♂️ ).
• Fix sentry nodes (these need to have persistent TLS certs, so no rotation for you).
• Fix e2e tests (need to take NextCertificate into account when comparing nodes in the registry_cli test).
• Enable cert rotation in e2e tests.
• Fix e2e tests again (tests using the IAS proxy should also not do rotation).
• Put the TLSSigner stuff back in (I temporarily removed this before to make debugging easier).
• Write changelog fragment.
• Fix the gRPC proxy so it dials connections itself rather than relying on an externally-established connection.
• Upstream node should send its TLS certs to the sentry node on init and on every rotation.
• Enable TLS cert rotation in e2e tests that use sentry nodes.
• Make the IAS proxy not panic when connection is dropped, it should just reconnect.
• Address review comments.
• Add check to gRPC proxy to make sure that upstream connection is in a good state before forwarding calls (and re-dial upstream if the connection has gone bad).
• Add separate long-term TLS certificates for the sentry node's control connection client.
• Address review comments.

[kostko]

Also make sure to reduce certificate expiration once this works.

[abukosek]

Sentry nodes and IAS proxies require non-rotating certificates, so I've left this as-is for now.

[codecov]

Codecov Report

Merging #2675 into master will increase coverage by 0.02%.
The diff coverage is 50.89%.

@@            Coverage Diff             @@
##           master    #2675      +/-   ##
==========================================
+ Coverage   65.67%   65.69%   +0.02%     
==========================================
  Files         342      342              
  Lines       32579    32866     +287     
==========================================
+ Hits        21395    21591     +196     
- Misses       8483     8581      +98     
+ Partials     2701     2694       -7     

Impacted Files	Coverage Δ
go/common/node/node.go	64.54% <0.00%> (-0.55%)	⬇️
go/oasis-node/cmd/ias/auth_registry.go	0.00% <0.00%> (ø)
go/oasis-node/cmd/identity/identity.go	37.50% <0.00%> (ø)
go/oasis-node/cmd/storage/benchmark/benchmark.go	3.92% <0.00%> (ø)
go/worker/sentry/grpc/worker.go	10.56% <0.00%> (-1.25%)	⬇️
go/worker/sentry/grpc/init.go	25.24% <6.66%> (-6.01%)	⬇️
go/registry/api/api.go	37.57% <30.30%> (-0.56%)	⬇️
go/oasis-node/cmd/node/node.go	53.95% <33.33%> (ø)
go/sentry/sentry.go	52.38% <33.33%> (-8.34%)	⬇️
go/sentry/api/grpc.go	54.16% <40.00%> (-23.62%)	⬇️
... and 40 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 4aca538...ee4d9fc. Read the comment docs.

[Yawning]

Does this mean that nodes provisioned this way won't have ephemeral TLS certs unless they obliterate the persisted cert?

[abukosek]

Yes. As rotation is off by default for now, I thought this would make most sense.
Once we enable rotation by default, we can also disable persistent TLS certs here or add a flag to control this behavior.

[ptrus]

Probably open an issue in https://github.com/oasislabs/docs once this is merged, so we wont forget adding/updating docs

[abukosek]

Will do.

[ptrus]

Could use the cenkalti/backoff package we use in other similar cases?

[abukosek]

I think that would be an overkill for this simple use case -- the only time this connection is dropped is if the upstream node rotates its TLS certificates, a constant 2s retry is good enough.

[abukosek]

Thanks to everyone for your previous review comments. This PR is now ready for re-review :)

[Yawning]

As a matter of style I prefer private struct members to be separated from public ones (and not interleaved like it is here).

[ptrus]

Could instead wrap the existing constant backoff with WithMaxRetries

[ptrus]

Could the mutex be removed if instead the dialer just did initConnection and returned it (without storing it in the sentry worker struct)?

It might be also a bit cleaner, since in that case there will always be two connections, one the proxy will use and one the policy watcher? (and each would keep track of it's own connection like both already do, and if needed, initialize more connections). I think the only difference to current impl. would be that currently the connection is ?sometimes? shared (I think currently it depends if proxy or sentry first invoke the dialer, if the connection is shared or not - since upstreamDialer updates the internal connection state of the sentry, but doesn't the one of the proxy?).

---

On the other hand if we want to keep using one connection i think it could be done cleaner if upstreamDialer is it's own struct (and not part of sentry worker), that maintains a connection (or a pool of connections), and exposes a dial method that returns it (and redials it if necessary).

[abukosek]

The idea is to replace the policy watcher with a new sentry command (e.g. UpdatePolicies or something) that is called by the upstream node in a similar way to SetUpstreamTLSCertificates added in this PR. This will allow further simplifications of the sentry code, but that should be done in a separate PR.
I'll make an issue for this after I merge the PR.

[ptrus]

Nice 👍 🎉

[ptrus]

left 2 minor comments, otherwise looks good! 👍

[abukosek]

Thanks!