Move supervisor API request handlers into dedicated package and add unit tests

[brandond]

Proposed Changes

• Properly handle creation of new etcd cluster containing only the current node
  Handles a corner case revealed by testing supervisor APIs
• Reorganize supervisor APIs used by joining nodes
  Moves request handlers and bootstrap password validation code out of the server package into dedicated packages.
• Misc cleanup / removal of unused fields.
• Allow clients to generate their own keys, instead of requiring them to use key generated by the server
  Improves overall security posture by no longer reusing private keys for agent certificates across multiple nodes in the cluster. Both agent and server contain backwards-compatibility code to allow interop with other version that do not support certificate signing requests when acquiring agent certs.
  After upgrading, existing nodes can be re-keyed to use unique keys by deleting their existing certs and keys from disk or running k3s certificate rotate, and restarting the node.
  This also removes the requirement to rotate certs on servers before agents, since they no longer reuse certs+keys pre-generated by the server. Agent certs will in fact be renewed (with the same key) on every startup. Rotation will work as it currently does, where the keys are removed to force creation of new keys and certs.
• Collect mocks from various tests into tests/mock package for reuse
• Add extensive tests for supervisor API request handlers

Types of Changes

tech debt / enhancement

Verification

• Verify that node joins work as before
• Verify that agents do not share private keys (/var/lib/rancher/k3s/agent/*.key)

Testing

Yes

Linked Issues

• Improve test coverage of supervisor HTTP API #11477

User-Facing Change

Further Comments

[codecov]

Codecov Report

Attention: Patch coverage is 61.37841% with 297 lines in your changes missing coverage. Please review.

Project coverage is 45.03%. Comparing base (68fbd1a) to head (eb8144a).

Files with missing lines	Patch %	Lines
pkg/server/handlers/handlers.go	74.21%	49 Missing and 17 partials ⚠️
pkg/server/handlers/secrets-encrypt.go	7.81%	59 Missing ⚠️
pkg/agent/config/config.go	38.02%	25 Missing and 19 partials ⚠️
pkg/nodepassword/validate.go	67.69%	34 Missing and 8 partials ⚠️
tests/mock/core.go	68.99%	34 Missing and 6 partials ⚠️
pkg/server/handlers/cert.go	5.26%	18 Missing ⚠️
pkg/server/handlers/token.go	20.00%	14 Missing and 2 partials ⚠️
pkg/etcd/etcd.go	54.54%	3 Missing and 2 partials ⚠️
pkg/cli/secretsencrypt/secrets_encrypt.go	71.42%	2 Missing ⚠️
pkg/daemons/control/deps/deps.go	0.00%	0 Missing and 2 partials ⚠️
... and 2 more

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #11471      +/-   ##
==========================================
- Coverage   48.44%   45.03%   -3.41%     
==========================================
  Files         181      184       +3     
  Lines       18809    18996     +187     
==========================================
- Hits         9112     8555     -557     
- Misses       8348     9225     +877     
+ Partials     1349     1216     -133     

Flag	Coverage Δ
e2etests	35.78% <48.73%> (-7.63%)	⬇️
inttests	35.07% <47.31%> (+0.02%)	⬆️
unittests	17.05% <47.85%> (+2.79%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[brandond]

Moving to draft for addition of tests

[manuelbuil]

I think this is a big security improvement (and testing!)

[manuelbuil]

I'm curious: How is this {program} var populated?

[brandond]

In this format it is just a placeholder for mux to match the request path. It is used as a var in the request handlers and must match the program name for RBAC purposes.