all: implement fetching additional domains from setec secret

[twitchyliquid64]

This implements fetching additional domains to maintain certs for from a setec secret, which is refreshed periodically.

This eliminates the need to bounce scertecd when domains change, unless they were provided as a command-line parameter.

Invocations of scertecd can now specify the setec secret using --additional-domains-key.

[bradfitz]

I thought about it more and I still don't like this. I don't see what problem it solves.

Also, a move this big (moving to use setec for configuration management) should have an issue with a plan. Like: we scale up some count of some server type in prod configuration files and then we terraform+ansible+ ... something else now to write the setec secret with configuration? Or does some terraform/ansible step do that? Which? Do we then have to wait for that config to be rolled out everywhere? Or are we depending on certd only running one copy for now?

Whereas if we just don't do this, we instead just modify the config files and re-deploy and it restarts the binary with the new flags.

[twitchyliquid64]

The problem it solves is having to manually adjust command lines or files on a box and bounce certd whenever we want to add a new trunk. The plan was to make the secret accessible to humans only and add a step to add the new trunk name to the secret as part of bringup instructions.

I believe multiple certd's will cause the same problems (duplicate issuance when racing) with or without this change.