We get support for enabling auto_encryption at set up time, allowing
client instances to get their TLS key/cert pairs from the consul
servers.

In order to allow browsers to access the UI we also need to enable the
HTTPS endpoint and disable mTLS on the HTTPS endponit, while keeping
mTLS enabled for RPC connections.

When we're running consul in client mode and want it to connect to the
servers we must provide the CA and enable HTTPS.  It's also good
practice to disable plain HTTP.

There's a known issue[1] in v1.6.0 that prevents consul clients from
contacting the servers when they're configured to auto-join.  This
workaround[2] gets things working.

1: hashicorp/consul#6391
2: hashicorp/consul#6391 (comment)

When auto_encrypt is used on the client agents there's still no support
for TLS over the HTTPS API[1].

In order for the client agents to interact with services such as nomad
we need to enable the HTTP API, but to maintain some level of controls
we also restrict write operations to localhost.

1: hashicorp/consul#6403