all: support certificates in tls.external

[keegancsmith]

Extended the experimental tls.external site setting to include a list of
certificates. When set repo-updater will add the certificates to the HTTP
client's RootCAs. This features works on top of any certificates added to an
individual external service configuration. Additionally these certificates are
also set for remote git commands.

This was tested by running a local HTTPS proxy to GitHub.com. I ensured both
API requests and git requests only worked when the relevant tls.external
setting was configured.

Note: AWS CodeCommit still does not support these setting. However, I don't expect AWS CodeCommit to be self hosted so should be fine.

Fixes #71

[keegancsmith]

I did lots of manual testing. Will think about how to testing this in an automatic way (it can be modified to be go test, but is quite a lot of work for an unknown value). Here are my detailed notes on testing:
Generated a key and certificate

openssl genrsa -out server.key 2048
openssl req -new -x509 -sha256 -key server.key -out server.crt -days 3650

Ran a proxy to github.com with it

package main

import (
    "log"
    "net/http"
    "net/http/httputil"
    "net/url"
    "strings"
)

func main() {
    u, err := url.Parse("https://api.github.com")
    if err != nil {
        log.Fatal(err)
    }
    urlDirector := httputil.NewSingleHostReverseProxy(u).Director
    director := func(req *http.Request) {
        orig := req.URL.String()
        urlDirector(req)
        if strings.HasPrefix(req.URL.Path, "/api/") {
            req.URL.Path = strings.TrimPrefix(req.URL.Path, "/api")
            req.URL.Path = strings.TrimPrefix(req.URL.Path, "/v3")
        } else {
            req.URL.Host = "github.com"
        }
        req.Host = req.URL.Host
        log.Println(orig, "->", req.URL)
    }
    err = http.ListenAndServeTLS(":443", "server.crt", "server.key", &httputil.ReverseProxy{
        Director: director,
    })
    if err != nil {
        log.Fatal("ListenAndServe: ", err)
    }
}

Then configured a GitHub external service pointing to my localhost. Everything
failed, but then tested with setting various tls.external settings:

"tls.external": {
    "insecureSkipVerify": true,
    "certificates": ["CERTHERE"]
}

Command line snippet to JSONify cert:

echo '{}' | jq --arg val "$(cat test/server.crt)" '$val' | pbcopy

Additionally I had to modify the GitHub external service to use the baseURL
instead of the clone URL returned from the API

diff --git a/cmd/repo-updater/repos/github.go b/cmd/repo-updater/repos/github.go
index fb5839966b..94d4284c84 100644
--- a/cmd/repo-updater/repos/github.go
+++ b/cmd/repo-updater/repos/github.go
@@ -305,6 +305,7 @@ func (s *GithubSource) authenticatedRemoteURL(repo *github.Repository) string {
        return repo.URL
    }
    u.User = url.User(s.config.Token)
+	u.Host = s.originalHostname
    return u.String()
 }