generate and manage certificates for prometheus node_exporter TLS and client certificate authentication

[aagbsn]

the monitoring host should have a certificate that is compatible with prometheus node_exporter client certificate authentication so that it can use certificate based authentication on nodes outside of AWS. A self-signed CA should be created for prometheus metrics collection; certificates issued for the monitoring host and node_exporter endpoints, e.g. a web_config.yml configured that points at the ca.cert, endpoint.cert, and authenticates by a certificate issued by that ca for the monitoring host.

[aagbsn]

example web_configs:
https://github.com/prometheus/exporter-toolkit/tree/e14e654a782f3ed41aa162e8180ebe2859674497/web/testdata

[aagbsn]

legacy certificate generation using ansible:
https://github.com/ooni/sysadmin/blob/f98095663179ae37f205468752eac19805bc90ed/ansible/roles/base-bullseye/tasks/main.yml#L219

[aagbsn]

node exporter configuration
https://prometheus.io/docs/prometheus/latest/configuration/https/
https://github.com/prometheus/exporter-toolkit/blob/master/docs/web-configuration.md

[aagbsn]

https://github.com/ooni/devops/tree/add_node_exporter_tls_config
templated node_exporter tls_config