[SVLS-7934] feat: Support TLS certificate for trace/stats flusher (#961)

## Problem
A customer reported that their Lambda is behind a proxy, and the
Rust-based extension can't send traces to Datadog via the proxy, while
the previous go-based extension worked.

## This PR
Supports the env var `DD_TLS_CERT_FILE`: The path to a file of
concatenated CA certificates in PEM format.
Example: `DD_TLS_CERT_FILE=/opt/ca-cert.pem`, so the when the extension
flushes traces/stats to Datadog, the HTTP client created can load and
use this cert, and connect the proxy properly.

## Testing
### Steps
1. Create a Lambda in a VPC with an NGINX proxy.
2. Add a layer to the Lambda, which includes the CA certificate
`ca-cert.pem`
3. Set env vars:
    - `DD_TLS_CERT_FILE=/opt/ca-cert.pem`
- `DD_PROXY_HTTPS=http://10.0.0.30:3128`, where `10.0.0.30` is the
private IP of the proxy EC2 instance
    - `DD_LOG_LEVEL=debug`
4. Update routing rules of security groups so the Lambda can reach
`http://10.0.0.30:3128`
5. Invoke the Lambda
### Result
**Before**
Trace flush failed with error logs:
> DD_EXTENSION | ERROR | Max retries exceeded, returning request error
error=Network error: client error (Connect) attempts=1
DD_EXTENSION | ERROR | TRACES | Request failed: No requests sent

**After**
Trace flush is successful:
> DD_EXTENSION | DEBUG | TRACES | Flushing 1 traces
DD_EXTENSION | DEBUG | TRACES | Added root certificate from
/opt/ca-cert.pem
DD_EXTENSION | DEBUG | TRACES | Proxy connector created with proxy:
Some("http://10.0.0.30:3128")
DD_EXTENSION | DEBUG | Sending with retry
url=https://trace.agent.datadoghq.com/api/v0.2/traces payload_size=1120
max_retries=1
DD_EXTENSION | DEBUG | Received response status=202 Accepted attempt=1
DD_EXTENSION | DEBUG | Request succeeded status=202 Accepted attempts=1
DD_EXTENSION | DEBUG | TRACES | Flushing took 1609 ms

## Notes
This fix only covers trace flusher and stats flusher, which use
`ServerlessTraceFlusher::get_http_client()` to create the HTTP client.
It doesn't cover logs flusher and proxy flusher, which use a different
function (http.rs:get_client()) to create the HTTP client. However, logs
flushing was successful in my tests, even if no certificate was added.
We can come back to logs/proxy flusher if someone reports an error.

Author: lym953

env.rs

@@ -75,6 +75,11 @@ pub struct EnvConfig {
     /// The transport type to use for sending logs. Possible values are "auto" or "http1".
     #[serde(deserialize_with = "deserialize_optional_string")]
     pub http_protocol: Option<String>,
+    /// @env `DD_TLS_CERT_FILE`
+    /// The path to a file of concatenated CA certificates in PEM format.
+    /// Example: `/opt/ca-cert.pem`
+    #[serde(deserialize_with = "deserialize_optional_string")]
+    pub tls_cert_file: Option<String>,
 
     // Metrics
     /// @env `DD_DD_URL`
@@ -466,6 +471,7 @@ fn merge_config(config: &mut Config, env_config: &EnvConfig) {
     merge_option!(config, env_config, proxy_https);
     merge_vec!(config, env_config, proxy_no_proxy);
     merge_option!(config, env_config, http_protocol);
+    merge_option!(config, env_config, tls_cert_file);
 
     // Endpoints
     merge_string!(config, env_config, dd_url);
@@ -695,6 +701,7 @@ mod tests {
             jail.set_env("DD_PROXY_HTTPS", "https://proxy.example.com");
             jail.set_env("DD_PROXY_NO_PROXY", "localhost,127.0.0.1");
             jail.set_env("DD_HTTP_PROTOCOL", "http1");
+            jail.set_env("DD_TLS_CERT_FILE", "/opt/ca-cert.pem");
 
             // Metrics
             jail.set_env("DD_DD_URL", "https://metrics.datadoghq.com");
@@ -850,6 +857,7 @@ mod tests {
                 proxy_https: Some("https://proxy.example.com".to_string()),
                 proxy_no_proxy: vec!["localhost".to_string(), "127.0.0.1".to_string()],
                 http_protocol: Some("http1".to_string()),
+                tls_cert_file: Some("/opt/ca-cert.pem".to_string()),
                 dd_url: "https://metrics.datadoghq.com".to_string(),
                 url: "https://app.datadoghq.com".to_string(),
                 additional_endpoints: HashMap::from([

mod.rs

@@ -252,6 +252,7 @@ pub struct Config {
     pub proxy_https: Option<String>,
     pub proxy_no_proxy: Vec<String>,
     pub http_protocol: Option<String>,
+    pub tls_cert_file: Option<String>,
 
     // Endpoints
     pub dd_url: String,
@@ -366,6 +367,7 @@ impl Default for Config {
             proxy_https: None,
             proxy_no_proxy: vec![],
             http_protocol: None,
+            tls_cert_file: None,
 
             // Endpoints
             dd_url: String::default(),

yaml.rs

@@ -53,6 +53,8 @@ pub struct YamlConfig {
     pub dd_url: Option<String>,
     #[serde(deserialize_with = "deserialize_optional_string")]
     pub http_protocol: Option<String>,
+    #[serde(deserialize_with = "deserialize_optional_string")]
+    pub tls_cert_file: Option<String>,
 
     // Endpoints
     #[serde(deserialize_with = "deserialize_additional_endpoints")]
@@ -417,6 +419,7 @@ fn merge_config(config: &mut Config, yaml_config: &YamlConfig) {
     merge_option!(config, proxy_https, yaml_config.proxy, https);
     merge_option_to_value!(config, proxy_no_proxy, yaml_config.proxy, no_proxy);
     merge_option!(config, yaml_config, http_protocol);
+    merge_option!(config, yaml_config, tls_cert_file);
 
     // Endpoints
     merge_hashmap!(config, yaml_config, additional_endpoints);
@@ -747,6 +750,7 @@ proxy:
   no_proxy: ["localhost", "127.0.0.1"]
 dd_url: "https://metrics.datadoghq.com"
 http_protocol: "http1"
+tls_cert_file: "/opt/ca-cert.pem"
 
 # Endpoints
 additional_endpoints:
@@ -882,6 +886,7 @@ api_security_sample_delay: 60 # Seconds
                 proxy_https: Some("https://proxy.example.com".to_string()),
                 proxy_no_proxy: vec!["localhost".to_string(), "127.0.0.1".to_string()],
                 http_protocol: Some("http1".to_string()),
+                tls_cert_file: Some("/opt/ca-cert.pem".to_string()),
                 dd_url: "https://metrics.datadoghq.com".to_string(),
                 url: String::new(), // doesnt exist in yaml
                 additional_endpoints: HashMap::from([