read minisign passphrase from a file

proxy: fix invalid check to enable authentication

This commit fixes a bug in the server initialization
w.r.t. requiring TLS certificate verification of TLS proxies.

Currently, the certificate of the TLS proxy is not validated
by default / when `--auth` is not set to `off`.

However, this has no direct security impact since a TLS proxy
has to be explicitly configured and its public key has to be pinned.

This commit fixes this by always enabling TLS certificate validation
for TLS proxies unless `--auth=off` has been specified.

rename the KES client env. variables for the client key and cert

This commit renames the client env. variables used to specify
the client certificate and private key.

Before, the CLI client expected:
```
export KES_CLIENT_TLS_CERT_FILE=<cert>
export KES_CLIENT_TLS_KEY_FILE=<key>
```

Now, the CLI client expects:
```
export KES_CLIENT_CERT=<cert>
export KES_CLIENT_KEY=<key>
```

The reason for this change is that the previous env. variables
are quite verbose and look odd compared to the `KES_SERVER`
variable.

The new variables are more compact and don't require boilerplate
typing.

It has been considered to have a fallback - like if `KES_CLIENT_CERT`
is not present look for `KES_CLIENT_TLS_CERT_FILE`. However, it
seems worse to have a deprecated fallback that gets removed at some
point in time. A clean cut seems better here.

add support for config file identity templates

This commit adds support for config file templates such
that an identity in the config file can be overwritten by
a config file:

```yaml
root: ${ROOT_ID}

policy:
  my-policy:
    paths:
    - /v1/key/create/my-key
    identities:
    - 6d56ee07446b7f11ad3b52d3cfd90942ad636c01288d3652a29fa0647919a3b2
    - ${MY_APP_ID}
```

The above config snippet would compile to an actual config where
the root identity would be replaced by the $ROOT_ID env. variable.
Similarly, there would be two identities assigned to the `my-policy`
policy:
 - 6d56ee07446b7f11ad3b52d3cfd90942ad636c01288d3652a29fa0647919a3b2
 - The value of $MY_APP_ID

This templating approach has some adv. compared to allowing overwriting
arbitrary config file entries:
 - A user/admin providing the config file can control what can be
   customized by an executing system (K8S). The user/admin still
   specifies how the general setup should look like.
 - Only certain aspects of the config are "dynamic" - e.g. identities.
   Whether e.g. audit logging to STDOUT is enabled should not really
   be configured via an env. variable.

Add private key and certificate of root identity

This commit adds the TLS private key and (self-signed) certificate of the root identity
for our play service.

remove the restriction of only supporting HTTP/2

This commit allows clients to connect to the KES server
via any HTTP protocol (again). This commit basically reverts
b74bb38.

The reason for restriction to HTTP/2-only was the potential
addition of stream APIs for encryption and decryption.
However, nginx does not support HTTP/2 for backend connections.
See: https://trac.nginx.org/nginx/ticket/923

Therefore, it would not be possible to run a KES server behind
a nginx proxy since the nginx would not be able to connect to
KES.

Further, this commit fixes 3 typos in the reference config file.

remove TOML representation of policies

This commit removes the TOML marshaling/unmarshaling
of policies. Now, a policy can only be marshaled
as JSON.

This commit finally removes the TOML dependency.

build a versioned KES binary in docker container

This commit uses the `release` command added by
08be13b to build a binary with release information
when building the docker image.

This can be verified by running:
```
docker build - < Dockerfile
```
and then
```
docker run <container-id> -v
```

add release cmd to build versioned binaries with docker

This commit adds a release command that fetches release
information (i.e. versions) about the `github.com/minio/kes`
module from a Go proxy.

With this command it is possible to add release information
to the KES binary during compilation - without any extra
dependencies (e.g. curl and jq).

The general idea is to first install the release command
via `go install github.com/minio/kes/cmd/release` and then
run:
```
go install -ldflags "-s -w -X main.version=$(release)" github.com/minio/kes/cmd/kes
```

This commit does not update the Dockerfile since we have to
release this change first such that
`go install github.com/minio/kes/cmd/release` succeeds.

aws-kms: honor error log configuration

This commit fixes a bug when initializing AWS-KMS.
Before, the error log was not passed to the AWS-KMS
client such that if the client would log a error message
it would always be written to the STDOUT/STDERR - regardless
what was specified in the config file.

However, this bug does not affect any (official) release
because it has been introduced by 817a824.