feat: make HUB_CERTIFICATE_AUTHORITY optional to allow agent use OS's root CA

[mingqishao]

What type of PR is this?
/kind feature

What this PR does / why we need it:
When network controllers use secure TLS to talk the hub, a CA data configuration is mandatory today. This changes to make it optional so that allows network controller to use OS's root certificate to talk hub cluster.

Which issue(s) this PR fixes:

Fixes #

Requirements:

• run make reviewable for basic local test
• Read and followed fleet-networking's Code of conduct.
• uses conventional commit messages
• includes documentation
• adds unit tests

How has this code been tested

Special notes for your reviewer

[codecov]

Codecov Report

Merging #149 (129467b) into main (fbf584c) will increase coverage by 0.24%.
The diff coverage is 50.00%.

@@            Coverage Diff             @@
##             main     #149      +/-   ##
==========================================
+ Coverage   78.62%   78.86%   +0.24%     
==========================================
  Files          20       20              
  Lines        2737     2735       -2     
==========================================
+ Hits         2152     2157       +5     
+ Misses        466      460       -6     
+ Partials      119      118       -1     

Impacted Files	Coverage Δ
pkg/common/uniquename/uniquename.go	82.96% <ø> (ø)
...rollers/member/internalmembercluster/controller.go	70.77% <ø> (+2.59%)	⬆️
pkg/common/hubconfig/hubconfig.go	80.00% <50.00%> (-0.71%)	⬇️

... and 4 files with indirect coverage changes

[jim-minter]

lgtm, @ryanzhang-oss ptal/merge?

[ryanzhang-oss]

why is that the err != nil not checked?

[mingqishao]

the env.Lookup() is customized function in this module which wrap the os.Envlookup(). err == nil mean the environment be found.

Actually I do feel this wrap function is a kind of confusing, I use it only because of keeping consistent with other codes.

[zhiying-lin]

Suggested change

	if err == nil {
	// use the agent OS's root CA when the hubCA env is not set
	if err == nil { // check if hubCA env is not set

Please add the comment here to improve the readability as in normal case we check the err != nil and need some signal here to indicate why we check err == nil here.

[ryanzhang-oss]

why are those in this PR?

[mingqishao]

Those changes was made by "make reviewable"

[zhiying-lin]

could you please clarify that, if the hubCAEnvKey is not set, the caData will be empty, it will use the OS's root CA?

Have you manually tested the agent using OS's root CA to talk to hub api server?

[mingqishao]

could you please clarify that, if the hubCAEnvKey is not set, the caData will be empty, it will use the OS's root CA?
Yes. that is the purpose of this PR.

Have you manually tested the agent using OS's root CA to talk to hub api server?
Yes, I did. I tested it manually.