Support Vault server running with TLS (#874)

* Change vault cluster in acceptance tests to only run with TLS. All tests will run against vault with TLS because that is the use case we think will be the most valuable for users to test
* Support adding Vault CA as a secret to pods that will be using vault agent. We need to add two annotations to pods:
      * vault.hashicorp.com/agent-extra-secret with the value of the vault CA secret name. The secret will be mounted to vault agent at /vault/custom path. See docs here
      * vault.hashicorp.com/ca-cert - with the path of the ca file inside the vault agent container. This should be /vault/custom/<secret key>
* Most pods will only need those annotations. The server pods also need the Vault CA secret to be mounted as a volume because it needs the CA to be on the file system for the vault connect CA provider.

acceptance/tests/vault/vault_test.go

@@ -129,6 +129,8 @@ func TestVault(t *testing.T) {
 	_, err = vaultClient.Logical().Write("consul/data/secret/gossip", params)
 	require.NoError(t, err)
 
+	vaultCASecret := vault.CASecretName(vaultReleaseName)
+
 	// Bootstrap TLS creates the CA infrastructure required for ServerTLS and also creates the `consul-server` roles.
 	bootstrapTLS(t, vaultClient, consulReleaseName)
 

charts/consul/test/unit/server-statefulset.bats

@@ -1036,6 +1036,16 @@ load _helpers
   [ "${actual}" = "true" ]
 }
 
+@test "server/StatefulSet: CA certificate is specified when TLS is enabled" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/server-statefulset.yaml  \
+      --set 'global.tls.enabled=true' \
+      . | tee /dev/stderr |
+      yq '.spec.template.spec.containers[0].readinessProbe.exec.command | join(" ") | contains("--cacert /consul/tls/ca/tls.crt")' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
 @test "server/StatefulSet: HTTP is disabled in agent when httpsOnly is enabled" {
   cd `chart_dir`
   local actual=$(helm template \