Some users may not want to expose all vault clients
to the same networks. In particular they might want
to have some on the default access network and some
on an external network. This patch adds support for
new 'external' binding which clients can use to
talk to the vault api.
When leadership is transferred to another unit when Vault is in HA mode,
the new leader didn't have the `charm.vault.ca.ready` flag set, so it
would fail to respond to any cert requests, even though the CA was
already properly configured. This addresses that issue, with the caveat
that when the leadership takeover happens, all requested certs will be
re-issued due to the new leader (potentially) not having access to the
previously published data. (We can fix this once we have
application-level relation data.)