feat: use SSH host certificates

[miampf]

Context

Currently, if you use the emergency SSH access, you have to manually validate each nodes host key (TOFU). This PR fixes that by introducing host certificates.

Proposed change(s)

• Each node gets a host certificate that is used to verify it's authenticity

Additional info

• For some reason, wildcards as a principal do not work which means that if you try to connect using the load balancers host name, verification would fail. However, connecting with the LBs public IP is not a problem so this is recommended in the documentation.

Checklist

• Run the E2E tests that are relevant to this PR's changes
• Update docs
• Add labels (e.g., for changelog category)
• Is PR title adequate for changelog?
• Link to Milestone

[netlify]

✅ Deploy Preview for constellation-docs ready!

Name	Link
🔨 Latest commit	8b17992
🔍 Latest deploy log	https://app.netlify.com/projects/constellation-docs/deploys/6863b0b76e2b950008ea084e
😎 Deploy Preview	https://deploy-preview-3786--constellation-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[msanft]

Mostly LGTM!

[daniel-weisse]

Do these certificates work across node reboots?

[miampf]

Do these certificates work across node reboots?

As long as the master key doesn't change they should, but I'll test this just to be sure

[daniel-weisse]

looks good to me if tests pass

[miampf]

Successful emergency ssh e2e test run

[github-actions]

Coverage report

Package	Old	New	Trend
bootstrapper/internal/addresses	0.00%	80.00%	🆕
bootstrapper/internal/initserver	67.90%	76.10%	↗️
bootstrapper/internal/joinclient	86.50%	82.50%	↘️
cli/internal/cmd	57.80%	57.80%	↔️
internal/constants	0.00%	0.00%	🚧
internal/crypto	73.30%	64.70%	↘️
joinservice/cmd	0.00%	0.00%	🚧
joinservice/internal/server	78.20%	79.20%	↗️
joinservice/joinproto	0.00%	0.00%	🚧