Persist certificates across device deployments

[michael-robbins]

Currently device certificates (CA & Server certificate) are lost when deploying a new config to a device (as we do a full reset + run the device config).

We should try to update our deploy.sh to do even more and:

• Understand if we are bootstrapping a device (certificate doesn't exist) or upgrading a device (certificate exists)
• Bootstrapping a device should result in
  • Certificate generation commands being emitted in the device config
  • Uploading remote site certificates into the router
• Upgrading a device should result in
  • Exporting the CA and Server certificates to the device storage
  • Certificate import commands instead of generation

Mikrotik devices will only export the secret key material when a passphrase is specified, so we need to ensure that's set in the site secrets file.

[michael-robbins]

This is now set and configured via the DEVICE_UPGRADE env var, it defaults to true and renders the certificate import commands, if set to false then it will render the certificate generation commands.