ING-662: Add support for client cert authentication

[Westwooo]

No description provided.

[chvck]

Does cert auth actually require TLS enabled? This seems like it should be below where the username and password check is. Should probably also error if certificate and username/password are both set. We're still at 0.x version so we could actually introduce an Authenticator type and remove username/password and certificate - which prevents both from being set.

[Westwooo]

Does cert auth actually require TLS enabled?
Yes because it's during the TLS handshake that the client and server exchange the certs.

Should probably also error if certificate and username/password are both set
When connecting to the cluster it's impossible to define a passwordAuthenticator and a certificateAuthenticator so unless there will be other users of gocbcoreps isn't another check for this redundant?

[chvck]

When connecting to the cluster it's impossible to define a passwordAuthenticator and a certificateAuthenticator so unless there will be other users of gocbcoreps isn't another check for this redundant?

It's entirely possible that there will be in the future.

[chvck]

At the moment if the user specifies a Certificate and no TLS options then they're possibly going to get some weird errors because we just won't set any authentication at all. That should probably also be an error case. We might also want to think about adding a invalid args error type so that callers can detect that.

I also wonder if we should simplify this by just not accepting Certificate, RootCAs and InsecureSkipVerify. Instead just accepting a tls.Config.

[Westwooo]

Good point, I've changed it so that the cert is always added to the TLS creds, so that a client cert being passed with no TLS options will work if the user has added their CA cert to their system pool.