cmd/derper: add GCP Certificate Manager support (#18161)

Add --certmode=gcp for using Google Cloud Certificate Manager's
public CA instead of Let's Encrypt. GCP requires External Account
Binding (EAB) credentials for ACME registration, so this adds
--acme-eab-kid and --acme-eab-key flags.

The EAB key accepts both base64url and standard base64 encoding
to support both ACME spec format and gcloud output.

Fixes tailscale/corp#34881

Signed-off-by: Raj Singh <raj@tailscale.com>
Co-authored-by: Brad Fitzpatrick <bradfitz@tailscale.com>

cmd/derper/cert_test.go

@@ -91,7 +91,7 @@ func TestCertIP(t *testing.T) {
 		t.Fatalf("Error closing key.pem: %v", err)
 	}
 
-	cp, err := certProviderByCertMode("manual", dir, hostname)
+	cp, err := certProviderByCertMode("manual", dir, hostname, "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -169,3 +169,37 @@ func TestPinnedCertRawIP(t *testing.T) {
 	}
 	defer connClose.Close()
 }
+
+func TestGCPCertMode(t *testing.T) {
+	dir := t.TempDir()
+
+	// Missing EAB credentials
+	_, err := certProviderByCertMode("gcp", dir, "test.example.com", "", "")
+	if err == nil {
+		t.Fatal("expected error when EAB credentials are missing")
+	}
+
+	// Invalid base64
+	_, err = certProviderByCertMode("gcp", dir, "test.example.com", "kid", "not-valid!")
+	if err == nil {
+		t.Fatal("expected error for invalid base64")
+	}
+
+	// Valid base64url (no padding)
+	cp, err := certProviderByCertMode("gcp", dir, "test.example.com", "kid", "dGVzdC1rZXk")
+	if err != nil {
+		t.Fatalf("base64url: %v", err)
+	}
+	if cp == nil {
+		t.Fatal("base64url: nil certProvider")
+	}
+
+	// Valid standard base64 (with padding, gcloud format)
+	cp, err = certProviderByCertMode("gcp", dir, "test.example.com", "kid", "dGVzdC1rZXk=")
+	if err != nil {
+		t.Fatalf("base64: %v", err)
+	}
+	if cp == nil {
+		t.Fatal("base64: nil certProvider")
+	}
+}