AutoMTLS for secrets/auth plugins (#15671)

* use automtls for v5 secrets/auth plugins

* add automtls env guard

* start backend without metadata mode

* use PluginClientConfig for backend's NewPluginClient param

refactor

* - fix pluginutil test
- do not expect plugin to be unloaded in UT
- fix pluginutil tests --need new env var
- use require in UT
- fix lazy load test

* add changelog

* prioritize automtls; improve comments

* user multierror; refactor pluginSet for v4 unit test

* add test cases for v4 and v5 plugin versions

* remove unnecessary call to AutoMTLSSupported

* update comment on pluginSets

* use runconfig directly in sdk newpluginclient

* use automtls without metadatamode for v5 backend plugin registration

* use multierror for plugin runconfig calls

* remove some unnecessary code

sdk/plugin/backend.go

@@ -20,9 +20,10 @@ var (
 // GRPCBackendPlugin is the plugin.Plugin implementation that only supports GRPC
 // transport
 type GRPCBackendPlugin struct {
-	Factory      logical.Factory
-	MetadataMode bool
-	Logger       log.Logger
+	Factory           logical.Factory
+	MetadataMode      bool
+	AutoMTLSSupported bool
+	Logger            log.Logger
 
 	// Embeding this will disable the netRPC protocol
 	plugin.NetRPCUnsupportedPlugin
@@ -41,12 +42,13 @@ func (b GRPCBackendPlugin) GRPCServer(broker *plugin.GRPCBroker, s *grpc.Server)
 
 func (b *GRPCBackendPlugin) GRPCClient(ctx context.Context, broker *plugin.GRPCBroker, c *grpc.ClientConn) (interface{}, error) {
 	ret := &backendGRPCPluginClient{
-		client:       pb.NewBackendClient(c),
-		clientConn:   c,
-		broker:       broker,
-		cleanupCh:    make(chan struct{}),
-		doneCtx:      ctx,
-		metadataMode: b.MetadataMode,
+		client:     pb.NewBackendClient(c),
+		clientConn: c,
+		broker:     broker,
+		cleanupCh:  make(chan struct{}),
+		doneCtx:    ctx,
+		// Only run in metadata mode if mode is true and autoMTLS is not supported
+		metadataMode: b.MetadataMode && !b.AutoMTLSSupported,
 	}
 
 	// Create the value and set the type