feat!: generate a self-signed certificate if no certificates are specified (#5973)

* feat: generate a self-signed certificate if no certificates are specified

Clouds like AWS automatically navigate to https://<ip-here>. This
allows us to bind to that immediately, serve a self-signed certificate,
then reroute to the access URL.

* Add new flag and deprecate old one

* Fix redirect if not using tunnel

* Add deprecation notice

* Fix TLS redirect

* Run `make gen`

* Fix bad test

* Fix gen

cli/server_test.go

@@ -290,11 +290,6 @@ func TestServer(t *testing.T) {
 			args        []string
 			errContains string
 		}{
-			{
-				name:        "NoCertAndKey",
-				args:        []string{"--tls-enable"},
-				errContains: "--tls-cert-file is required when tls is enabled",
-			},
 			{
 				name:        "NoCert",
 				args:        []string{"--tls-enable", "--tls-key-file", key1Path},
@@ -373,6 +368,7 @@ func TestServer(t *testing.T) {
 				},
 			},
 		}
+		defer client.HTTPClient.CloseIdleConnections()
 		_, err := client.HasFirstUser(ctx)
 		require.NoError(t, err)
 
@@ -527,6 +523,7 @@ func TestServer(t *testing.T) {
 				},
 			},
 		}
+		defer client.HTTPClient.CloseIdleConnections()
 		_, err = client.HasFirstUser(ctx)
 		require.NoError(t, err)
 
@@ -541,6 +538,7 @@ func TestServer(t *testing.T) {
 			name         string
 			httpListener bool
 			tlsListener  bool
+			redirect     bool
 			accessURL    string
 			// Empty string means no redirect.
 			expectRedirect string
@@ -549,9 +547,17 @@ func TestServer(t *testing.T) {
 				name:           "OK",
 				httpListener:   true,
 				tlsListener:    true,
+				redirect:       true,
 				accessURL:      "https://example.com",
 				expectRedirect: "https://example.com",
 			},
+			{
+				name:           "NoRedirect",
+				httpListener:   true,
+				tlsListener:    true,
+				accessURL:      "https://example.com",
+				expectRedirect: "",
+			},
 			{
 				name:           "NoTLSListener",
 				httpListener:   true,
@@ -600,6 +606,9 @@ func TestServer(t *testing.T) {
 				if c.accessURL != "" {
 					flags = append(flags, "--access-url", c.accessURL)
 				}
+				if c.redirect {
+					flags = append(flags, "--redirect-to-access-url")
+				}
 
 				root, _ := clitest.New(t, flags...)
 				pty := ptytest.New(t)
@@ -652,20 +661,23 @@ func TestServer(t *testing.T) {
 
 				// Verify TLS
 				if c.tlsListener {
-					tlsURL, err := url.Parse(tlsAddr)
+					accessURLParsed, err := url.Parse(c.accessURL)
 					require.NoError(t, err)
-					client := codersdk.New(tlsURL)
+					client := codersdk.New(accessURLParsed)
 					client.HTTPClient = &http.Client{
 						CheckRedirect: func(req *http.Request, via []*http.Request) error {
 							return http.ErrUseLastResponse
 						},
 						Transport: &http.Transport{
-							TLSClientConfig: &tls.Config{
-								//nolint:gosec
-								InsecureSkipVerify: true,
+							DialTLSContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+								return tls.Dial(network, strings.TrimPrefix(tlsAddr, "https://"), &tls.Config{
+									// nolint:gosec
+									InsecureSkipVerify: true,
+								})
 							},
 						},
 					}
+					defer client.HTTPClient.CloseIdleConnections()
 					_, err = client.HasFirstUser(ctx)
 					require.NoError(t, err)
 
@@ -837,6 +849,7 @@ func TestServer(t *testing.T) {
 					},
 				},
 			}
+			defer client.HTTPClient.CloseIdleConnections()
 			_, err := client.HasFirstUser(ctx)
 			require.NoError(t, err)