server: improve TLS certificate generation

[dnephin]

Today we have a few problems with the TLS certificate generation in the server:

• SelfSignedOrLetsEncryptCert can race with itself, creating multiple primary keys and certs #2067
• we throw away the CA certificate and key, so each certificate is generated with a different CA, and we lose both the CA and certificate on restart

Proposal

1. Generate the CA in helm, and save it to a kubernetes secret. Include that secret in the server deployment so the server can access it. Depends on server: allow user to provide their own TLS cert and key #2176 so that we can tell the server about the path to the CA from the helm chart.
2. On first request, if we don't have a certificate, generate one using the CA. We should use x509.Ed25519 instead of RSA to reduce the generation time. We also need to add some kind of synchronization to solve SelfSignedOrLetsEncryptCert can race with itself, creating multiple primary keys and certs #2067.
3. In the CLI, use tls.Config.VerifyPeerCertificate (instead of the cert we get back from x509.UnknownAuthorityError) to prompt for trust of the CA (instead of prompting for trust of the server certificate). Since the server certificate may change, but the CA remains across restarts, we need to trust the CA instead of the leaf cert.

Related issues

• server: allow user to provide their own TLS cert and key #2176 - to allow the user to specify their own CA and certificates