wip: refreshable *tls.Config support for CGR clients

[sidkmenon]

Before this PR

After this PR

==COMMIT_MSG==
==COMMIT_MSG==

Possible downsides?

[changelog-app]

Generate changelog in changelog/@unreleased

What do the change types mean?

• feature: A new feature of the service.
• improvement: An incremental improvement in the functionality or operation of the service.
• fix: Remedies the incorrect behaviour of a component of the service in a backwards-compatible way.
• break: Has the potential to break consumers of this service's API, inclusive of both Palantir services
  and external consumers of the service's API (e.g. customer-written software or integrations).
• deprecation: Advertises the intention to remove service functionality without any change to the
  operation of the service itself.
• manualTask: Requires the possibility of manual intervention (running a script, eyeballing configuration,
  performing database surgery, ...) at the time of upgrade for it to succeed.
• migration: A fully automatic upgrade migration task with no engineer input required.

Note: only one type should be chosen.

How are new versions calculated?

• ❗The break and manual task changelog types will result in a major release!
• 🐛 The fix changelog type will result in a minor release in most cases, and a patch release version for patch branches. This behaviour is configurable in autorelease.
• ✨ All others will result in a minor version release.

Type

• Feature
• Improvement
• Fix
• Break
• Deprecation
• Manual task
• Migration

Description

wip: refreshable *tls.Config support for CGR clients

Check the box to generate changelog(s)

• Generate changelog entry

[sidkmenon]

how i'm imagining that this would be used:

// example implementation of CA bundle refreshable
type configMapCABundleProvider struct {
	refreshable.Updatable[[]*x509.Certificate]
}

// AddOrUpdate plugs into an informer events to parse configmaps to CA certs
func (c *configMapCABundleProvider) AddOrUpdate(ctx context.Context, cm *corev1.ConfigMap) error {
       // some parsing implementation
	certs, err := parseCM(cm)
	if err != nil {
		return err
	}
	// should be fine since the *x509.Certificate type doesn't contain any function types.
	// if it does, we can store the raw cert bytes instead
	c.Updatable.Update(certs)
	return nil
}

func NewRefreshableTLSConfig(
	ctx context.Context,
	certProvider certificateprovider.CertProviderFn,
	caBundleProvider refreshable.Refreshable[[]*x509.Certificate],
) (refreshable.Refreshable[*tls.Config], refreshable.UnsubscribeFunc, error) {
	return refreshable.MapWithError(
		caBundleProvider,
		func(cas []*x509.Certificate) (*tls.Config, error) {
			return tlsconfig.NewClientConfig(
				tlsconfig.ClientKeyPair(func() (tls.Certificate, error) {
					return certProvider.GetClientCert(ctx)
				}),
				tlsconfig.ClientRootCAs(func() (*x509.CertPool, error) {
					cp, err := x509.SystemCertPool()
					if err != nil {
						return nil, err
					}
					for _, cert := range cas {
						cp.AddCert(cert)
					}
					return cp, nil
				}),
			)
		},
	)
}

and you could pass the NewRefreshableTLSConfig refreshable to this client lib (obviously there's the whole v2/v1 thing but figured this example was more clear)

[bmoylan]

why are we reimplementing refreshables here?