Implement VC API (#1657)

## Issue Addressed

NA

## Proposed Changes

- Implements a HTTP API for the validator client.
- Creates EIP-2335 keystores with an empty `description` field, instead of a missing `description` field. Adds option to set name.
- Be more graceful with setups without any validators (yet)
    - Remove an error log when there are no validators.
    - Create the `validator` dir if it doesn't exist.
- Allow building a `ValidatorDir` without a withdrawal keystore (required for the API method where we only post a voting keystore).
- Add optional `description` field to `validator_definitions.yml`

## TODO

- [x] Signature header, as per https://github.com/sigp/lighthouse/issues/1269#issuecomment-649879855
- [x] Return validator descriptions
- [x] Return deposit data
- [x] Respect the mnemonic offset
- [x] Check that mnemonic can derive returned keys
- [x] Be strict about non-localhost
- [x] Allow graceful start without any validators (+ create validator dir)
- [x] Docs final pass
- [x] Swap to EIP-2335 description field. 
- [x] Fix Zerioze TODO in VC api types.
- [x] Zeroize secp256k1 key

## Endpoints

- [x] `GET /lighthouse/version`
- [x] `GET /lighthouse/health`
- [x] `GET /lighthouse/validators` 
- [x] `POST /lighthouse/validators/hd`
- [x] `POST /lighthouse/validators/keystore`
- [x] `PATCH /lighthouse/validators/:validator_pubkey`
- [ ] ~~`POST /lighthouse/validators/:validator_pubkey/exit/:epoch`~~ Future works


## Additional Info

TBC

validator_client/src/cli.rs

@@ -1,4 +1,4 @@
-use crate::config::DEFAULT_HTTP_SERVER;
+use crate::config::DEFAULT_BEACON_NODE;
 use clap::{App, Arg};
 
 pub fn cli_app<'a, 'b>() -> App<'a, 'b> {
@@ -8,13 +8,22 @@ pub fn cli_app<'a, 'b>() -> App<'a, 'b> {
             "When connected to a beacon node, performs the duties of a staked \
                 validator (e.g., proposing blocks and attestations).",
         )
+        .arg(
+            Arg::with_name("beacon-node")
+                .long("beacon-node")
+                .value_name("NETWORK_ADDRESS")
+                .help("Address to a beacon node HTTP API")
+                .default_value(&DEFAULT_BEACON_NODE)
+                .takes_value(true),
+        )
+        // This argument is deprecated, use `--beacon-node` instead.
         .arg(
             Arg::with_name("server")
                 .long("server")
                 .value_name("NETWORK_ADDRESS")
-                .help("Address to connect to BeaconNode.")
-                .default_value(&DEFAULT_HTTP_SERVER)
-                .takes_value(true),
+                .help("Deprecated. Use --beacon-node.")
+                .takes_value(true)
+                .conflicts_with("beacon-node"),
         )
         .arg(
             Arg::with_name("validators-dir")
@@ -97,4 +106,40 @@ pub fn cli_app<'a, 'b>() -> App<'a, 'b> {
                 .value_name("GRAFFITI")
                 .takes_value(true)
         )
+        /* REST API related arguments */
+        .arg(
+            Arg::with_name("http")
+                .long("http")
+                .help("Enable the RESTful HTTP API server. Disabled by default.")
+                .takes_value(false),
+        )
+        /*
+         * Note: there is purposefully no `--http-address` flag provided.
+         *
+         * The HTTP server is **not** encrypted (i.e., not HTTPS) and therefore it is unsafe to
+         * publish on a public network.
+         *
+         * We restrict the user to `127.0.0.1` and they must provide some other transport-layer
+         * encryption (e.g., SSH tunnels).
+         */
+        .arg(
+            Arg::with_name("http-port")
+                .long("http-port")
+                .value_name("PORT")
+                .help("Set the listen TCP port for the RESTful HTTP API server. This server does **not** \
+                provide encryption and is completely unsuitable to expose to a public network. \
+                We do not provide a --http-address flag and restrict the user to listening on \
+                127.0.0.1. For access via the Internet, apply a transport-layer security like \
+                a HTTPS reverse-proxy or SSH tunnelling.")
+                .default_value("5062")
+                .takes_value(true),
+        )
+        .arg(
+            Arg::with_name("http-allow-origin")
+                .long("http-allow-origin")
+                .value_name("ORIGIN")
+                .help("Set the value of the Access-Control-Allow-Origin response HTTP header.  Use * to allow any origin (not recommended in production)")
+                .default_value("")
+                .takes_value(true),
+        )
 }