tls: Allow TLS flags to be reset

[alloveras]

Description

Add a NullableStringConverter to the options framework that maps an empty string to null and wire it to the TLS flags --tls_certificate, --tls_client_certificate, and --tls_client_key so that passing --<flag-name>= on the command line resets the flag to its unset state.

Motivation

Flags with defaultValue = "null" are correctly null at startup, but there was no way to reset them back to unset from the command line (e.g. to override a .bazelrc setting). Passing --tls_certificate= leaves the value as an empty string, which is then passed to new File(""), causing a confusing error.

Build API Changes

This PR affects the following command-line flags:

• --tls_certificate
• --tls_client_certificate
• --tls_client_key

1. Has this been discussed in a design doc or issue? bazelbuild/bazel#4595

2. Is the change backward compatible? Any previously valid non-empty value continues to work exactly as before. Any empty string now correctly resets the flag to its default value as opposed to propagating the empty string value downstream, which, in some cases, turns out to be catastrophic.

3. If it's a breaking change, what is the migration plan? N/A.

Checklist

• I have added tests for the new use cases (if any).
• I have updated the documentation (if applicable).

Release Notes

RELNOTES: --tls_certificate=, --tls_client_certificate=, and --tls_client_key= can now be used to reset those flags to their unset state.

[alloveras]

The failed test seems to be a flake or somehow unrelated breakage to this change 🤔 ? I don't seem to have enough permissions to retry the failed step, so I am unsure how to proceed. I would appreciate some guidance 😉