ipn/ipnserver: add TS_PERMIT_CERT_UID envknob to give webservers cert access

So you can run Caddy etc as a non-root user and let it have access to
get certs.

Updates caddyserver/caddy#4541

Change-Id: Iecc5922274530e2b00ba107d4b536580f374109b
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

ipn/localapi/localapi.go

@@ -52,8 +52,15 @@ type Handler struct {
 	PermitRead bool
 
 	// PermitWrite is whether mutating HTTP handlers are allowed.
+	// If PermitWrite is true, everything is allowed.
+	// It effectively means that the user is root or the admin
+	// (operator user).
 	PermitWrite bool
 
+	// PermitCert is whether the client is additionally granted
+	// cert fetching access.
+	PermitCert bool
+
 	b            *ipnlocal.LocalBackend
 	logf         logger.Logf
 	backendLogID string