TLS support for RPC server and upstream connections

[tac0turtle]

Summary

Add TLS support for both apex's outbound connections (to celestia-node) and its inbound RPC server.

Motivation

• Production deployments often require encrypted transport
• celestia-node is also tracking TLS support (celestiaorg/celestia-node#4346)
• Without TLS, auth tokens transit in plaintext

Requirements

Upstream fetcher (outbound)

• Support wss:// endpoints for celestia-node WebSocket connections
• Support TLS for gRPC connections to upstream nodes
• Configurable CA certificate for self-signed certs
• Skip-verify option for development (with warning log)

RPC server (inbound)

• Optional TLS termination on the JSON-RPC server
• Optional TLS on the gRPC server
• Certificate and key file paths in config

Configuration

data_source:
  endpoint: wss://celestia-node.example.com:26658
  tls:
    ca_cert: ""              # custom CA for self-signed
    skip_verify: false       # dev only

rpc:
  address: 0.0.0.0:26659
  tls:
    cert_file: ""
    key_file: ""

grpc:
  address: 0.0.0.0:26660
  tls:
    cert_file: ""
    key_file: ""

Non-goals

• mTLS (mutual TLS) — add later if needed
• Automatic cert provisioning (Let's Encrypt) — use a reverse proxy for that

Related

• Implement Celestia node JSON-RPC compatibility layer #2 — JSON-RPC server
• Add gRPC API alongside JSON-RPC #3 — gRPC server
• CelestiaNodeFetcher: upstream RPC client #12 — CelestiaNodeFetcher (upstream client)
• Configuration system: YAML loading and validation #13 — Configuration system