Extend validation options for TLS connections #26
Description
I experienced a problem using discovery in consul-k8s, when AWS returns the IPs of the server nodes - connections were not trusted and it was very involved to work out why (fortunately hashicorp support helped v quickly to resolve - I would never have sorted it myself)
The issue is that there is no way to configure things so it will accept any valid certificate - you either specify an explicit hostname, or set it to not verify anything at all. Specifically, this means there is no way for TLS trust to be established based on the IP sans that are in the certificate.
A suggested improvement is, if no server name is specified but secure tls is required, then use the hostname being used to initiate the connection as the hostname to validate. Thus, in the case where that hostname is an IP address, the current logic would correctly look at the IP sans and allow connection to proceed.
Full details: hashicorp/consul-k8s#1742