SPIRE Server should try to auto-rotate on increased workload TTLs config

[amoore877]

Steps:

1. Start spire-server with some X default_x509_svid_ttl and reasonable Y server CA TTL. spire-server should also be making use of .data journaling of its CAs. For specific values, let's say X is two days and Y is 24 days.
2. spire-server should come up healthy
3. Turn down spire-server, and update default_x509_svid_ttl and server CA to much higher values. For specifics, let's say 14 days and 168 days, respectively.

Reality:

spire-server will spawn up fine, but will print warnings like default_x509_svid_ttl is too high. SVIDs with shorter lifetimes may be issued. Please set default_x509_svid_ttl to ${internal_value} or less to guarantee the full default_x509_svid_ttl lifetime when CA rotations are scheduled.

spire-server is now in state of potentially truncating svid TTLs until it naturally rotates, which could be a while, especially if under the shorter CA TTL the next CA was already prepated.

Expectation:

When spire-server's CA TTL config is extended, this should be detected by spire-server. It should make an effort to:

1. prepare a next CA (even if one already exists) using the new TTL.
2. On success of above, rotate to that new CA.
3. Prior to any of the successes above, we are still issuing SVIDs under old shorter CA- a further but likely more difficult enhancement would be to flag those for re-signing within the ecosystem in some way, though this may not strictly be necessary.

Result:

With (1) and (2) at least, spire-server will more quickly get its own CA in order with configuration, and thus leaf SVIDs will be signed with their new potentially longer TTLs more quickly as well.

(3) would be significant work and may not be worthwhile. But I think the rest may be somewhat straightforward?

Workaround:

Purge spire-server's .data directory and restart.