Ensure that TLS migration works in a WAN environment

[slackpad]

While integrating the latest oss/master into Consul Enterprise I realized that since we don't have the same "use TLS" flag in the WAN Serf tags, we have some remaining work to do in order to get live TLS upshift working for federated Consul clusters. The logic should be the same, I think we just need to add the plumbing.

On the Consul Enterprise side we also need to resolve this as it also has a site that does a dial. Here's the temporary patch that needs to be resolved:

diff --git a/consul/gossip_endpoint.go b/consul/gossip_endpoint.go
index 47f60f2d..efb94ebc 100644
--- a/consul/gossip_endpoint.go
+++ b/consul/gossip_endpoint.go
@@ -25,7 +25,11 @@ func (g *GossipDialer) DialTimeout(datacenter string, addr string, timeout time.
 		return nil, fmt.Errorf("failed to resolve %q: %v", addr, err)
 	}
 
-	conn, _, err := g.pool.DialTimeout(datacenter, target, timeout)
+	// TODO (slackpad) - Set this to false when merging, but we should
+	// improve the TLS support for network areas to make sure that we can
+	// transition these without a down time as well.
+	const useTLS = false
+	conn, _, err := g.pool.DialTimeout(datacenter, target, timeout, useTLS)
 	if err != nil {
 		return nil, fmt.Errorf("failed to connect to %q: %v", addr, err)
 	}

[slackpad]

@kyhavlov confirmed that WAN uses the same setup as LAN, so this will work fine in OSS. Consul Enterprise was updated to address the TODO and make TLS depend on verify_outgoing, which fixes TLS in the non-upshift case, so kicking this forward to take a look at making network areas support TLS upshift in the next release of Consul Enterprise.

[kyhavlov]

Closed with #3274