[CA lifecycle] Allow agent-tls-mode setting on MachineRegistration

[anmazzotti]

This issue is to expose the system-agent agent-tls-mode setting on the MachineRegistration. This should apply to both the rancher-system-agent and the elemental-system-agent.
The elemental-register already implements a mixture of these two settings (appending the private CA to the system's trust store), it does make sense to align the behavior to the other agents.

This will allow users to use the system-store value, instead of strict, and more easily manage the lifecycle of CA certs by including them into the system image.

This scenario will be even easier if a public Certificate Authority is used, since Elemental base images contain ca-certificates and ca-certificates-mozilla packages by default. So no further action should be required when system-store setting is in use.

[anmazzotti]

I just found out that Rancher already exposes the agent-tls-mode setting, for the rancher-system-agent.

This leads to a bootstrap secret that will start with:

#!/usr/bin/env sh
STRICT_VERIFY="true"

or STRICT_VERIFY="false" in case TLS mode is system-store.

This env is not exposed in any of the agent config. Instead it is used to generate the /etc/systemd/system/rancher-system-agent.service file, where it's passed as Environment=CATTLE_AGENT_STRICT_VERIFY= in the Service section.
The agent code seems to only load this setting from this env.

So the bad news is that for the elemental-system-agent we are struggling, as we have no convenient way of passing this env. We most likely do not want to also generate the systemd service file on the fly during installation. This should be fixed upstream and exposed in the agent config, or in the connection info.

Anyway, for the sake of Elemental, we can take the approach of reading the agent-tls-mode Rancher setting to configure the elemental-system-agent, but allow overriding on a registration level, like we are going to do for the other CA settings.