Use the standard GetConfigForClient in sshGRPCServer

[espadolini]

The "SSH gRPC" service currently only trusts the host and user CAs for the local cluster; it should, however, since it's necessary for the tsh ProxyJump functionality (tsh ssh -J addr-of-leaf-proxy user@host ...). This PR changes the TLS config for the service to use the same GetConfigForClient used by most other servers, which will load user CAs on demand.

The changes to the test make it fail without the fix (in the "ssh jump host access" subtest) and succeed with; however, this PR introduces some minor go:debug hackery (in test code) to extend the system cert pool.
Fixes #36964

changelog: Fixed incompatibility between leaf clusters and ProxyJump

[zmb3]

I'm on the fence about the testing changes. They seem both complicated and brittle.

In this case I would be okay with merging without the tests since you've demonstrated already that the fix is good.

[zmb3]

Can we at least do this in a _test.go file to be sure it doesn't ever affect a production build?

[espadolini]

The issue with that is that other packages' test files don't exist when building tests.

Should I move this back to tools/tsh/common/proxy_test.go for now?

[espadolini]

I figured out that with //go:debug x509usefallbackroots=1 (which is far more supported) we get to replace the system cert pool without using linkname hacks or changing all the test running environments to add the matching GODEBUG envvar (b986a46)

[zmb3]

/excludeflake *

[public-teleport-github-review-bot]

@espadolini See the table below for backport results.

Branch	Result
branch/v14	Failed
branch/v15	Create PR