Enable TLS based communication with Zookeeper Backend

[palsaurabh2005]

With this PR I am pushing changes that will allow Vault to communicate with the Zookeeper backend using TLS.
Description for Configuration changes is added to the readme

[palsaurabh2005]

Hello @jefferai ,
Please suggest if this Pull request requires a new Issue attached to it? The Original issue(#1652), is marked as closed.
Thanks!

[Andrewg-674]

@jefferai @briankassouf @chrishoffman @palsaurabh2005
As advised on this thread we have built Vault from source and can confirm that Mutual Auth works as expected with the Zookeeper backend. We are running a clustered Zookeeper setup that requires a client certificate verification.

[palsaurabh2005]

@jefferai @briankassouf @chrishoffman
Admins, I am curious to know if this would ever be reviewed or integrated?

[jefferai]

Generally speaking it would be nice if other zk storage users reviewed this. You may want to poke some of the people that have contributed to the backend in the past.

[palsaurabh2005]

Thanks Jeff. I see there is just one user @Andrewg-674 who has validated this PR.
I have already marked other zk users who had originally made this request or commented on it (#1652).

I am mentioning them here again, hoping to catch their attention:
@devth @kenbreeman @reegz @vixns @sherzberg @elupu

[kenbreeman]

Worth noting that this supports multiple CA's in a single file which is useful for rotation before they expire.

[palsaurabh2005]

Added additional description with Commit:
palsaurabh2005@3749e91

[kenbreeman]

Looks good to me, one comment on documentation around the CA file.

[palsaurabh2005]

Thanks for reviewing this @kenbreeman. As per your comment I have added some more info for the CA cert file usage and its ability to support multiple CA certs in a single file.
The Lib ref for RootCAs property is documented here: https://golang.org/pkg/crypto/tls/ #RootCAs

cc: @jefferai @chrishoffman @briankassouf @devth @reegz @vixns @sherzberg @elupu

[palsaurabh2005]

auth_info is removed in this commit since it was incorrectly committed as a duplicate in a previous commit.

[palsaurabh2005]

Hello @jefferai
We have the PR verified by 2 members. Would more reviews be needed?

Thanks.

[palsaurabh2005]

@jefferai @vishalnayak
One more thing on the regression impact of this PR:
The flow to establish a TLS connection is only triggered when a user explicitly sets the property "tls_enabled" to true. If it is not set or set to false, the same pre-PR code will execute:

if isTlsEnabled {
 		      // Create a custom Dialer with cert configuration for TLS handshake.
 		     tlsDialer := customTLSDial(conf, machines)
 		     options := zk.WithDialer(tlsDialer)
 		     return zk.Connect(strings.Split(machines, ","), timeout, options)
 	 } else {
                   // **pre-PR -->** 	
                   return zk.Connect(strings.Split(machines, ","), timeout)
 	 }  

So existing integrations that do not have this "tls_enabled" will work as expected without any impact from this change.

[palsaurabh2005]

@briankassouf
Thank you for Merging the PR!